Re: SSL certificates issue

From: Asia <asia123321(at)op(dot)pl>
To: " <pgsql-general(at)postgresql(dot)org>" <pgsql-general(at)postgresql(dot)org>
Subject: Re: SSL certificates issue
Date: 2011-09-07 10:03:45
Message-ID: 48636826-a09d4c1893554c6ea787bc2809479c60@pkn7.m5r2.onet
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

> Asia <asia123321(at)op(dot)pl> writes:
> > I would expect to have only one top-level CA cert in server's and client's root.crt and it was not possible to configure with 2-level intermediate CA.
>
> This seems a little confused, since in your previous message you stated
> that libpq worked correctly and JDBC did not, and now you seem to be
> saying the opposite.
>
> As far as libpq goes, I would expect it to function correctly in 9.0 and
> up (and it did function correctly, last I tested it). Previous releases
> will not do this nicely, for lack of this patch:
> http://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=4ed4b6c54
>
> regards, tom lane
>

I apologise then, it seems I was not clear enough when explaining my issue.

I am using PostgreSQL, version 9.0.

I have all of it (libpq and jdbc) working, however I have some doubts about the correctness of my configuration.

The situation is more or less like following:

Client intermediate CA (root.crt): C1 -> C2, Client cert: C1 -> C2 ->C3

Server intermediate CA (root.crt): C1 -> S1, Server Cert: C1 -> S1 -> S2

I always use clientcert=1 in pg_hba to force mutual SSL.

Now with the above configuration libpq connects fine. But when I tried to use jdbc it requires me to append client's intermediate CA - "C1 -> C2"
to server's root.crt. So server's root.crt content looks like follows:

C1 -> S1 -> C1 -> C2

Then jdbc conenction works fine and the change does not affect libpq - it works fine like before.

So my point was general why the behavior for libpq and jdbc driver is not common (probably we would need some custom implementation of Java SSL facory
for PostgreSQL) - both types of connection have different cert configuration what I believe could be better when it was common.

And the second issue is that you wrote that it should be enough to put to-level CA certs. So I left only C1 in server's root.crt, restarted server
and received following error during connection:

SSL error: certificate verify failed

The question is how to do it correctly?

Please advise.

Kind regards,
Joanna

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Radosław Smogura 2011-09-07 10:27:11 Re: SSL certificates issue
Previous Message Albe Laurenz 2011-09-07 08:39:53 Re: Complex query question