| From: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
|---|---|
| To: | Brian Krug <bkrug(at)usatech(dot)com> |
| Cc: | pgsql-bugs(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net> |
| Subject: | Re: BUG #5245: Full Server Certificate Chain Not Sent to client |
| Date: | 2010-05-27 02:56:37 |
| Message-ID: | 4BFDDF65.7080603@postnewspapers.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On 15/12/09 23:35, Brian Krug wrote:
>
> The following bug has been logged online:
>
> Bug reference: 5245
> Logged by: Brian Krug
> Email address: bkrug(at)usatech(dot)com
> PostgreSQL version: 8.4.1
> Operating system: Solaris 10
> Description: Full Server Certificate Chain Not Sent to client
> Details:
>
> I setup a postgres server with hostssl connections (in pg_hba.conf) and
> clientcert=1 option. Then I setup a Java client to connect to it with the
> postgres jdbc driver (version 8.4-701.jdbc4). I setup the server.key,
> server.crt and root.crt files on the server. The server.crt file is a
> certificate chain of 3 entries: the host-specific certificate followed by an
> immediate CA certificate followed by our company's root CA certificate. I
> put the root CA certificate into the truststore of the java client and I
> enable full ssl debug logging in the java client with -Djavax.net.debug=ssl.
> When I attempt a connection, my java client rejects the server's certificate
> reporting "SunCertPathBuilderException: unable to find valid certification
> path to requested target". When I look at the ssl debug logging, I realize
> that the server has only sent the first certificate (it's own) and not the
> full certificate chain.
In another thread, Tom Lane wrote:
> I'm still a bit mystified about bug #5245 though. I can see two
> possible explanations for that one:
>
> 1. The reporter was wrong about which server version he was using;
> pre-8.4 servers would in fact not send the whole cert chain, cf
> http://archives.postgresql.org/pgsql-committers/2009-05/msg00195.php
>
> 2. The reporter was wrong about the actual cause of his problem, and
> despite his description, the true reason his Java client was failing
> was the lack of SSL_CTX_set_client_CA_list().
>
> Anyway, as far as I can tell the case described there works now.
Yep. I wasn't able to reproduce that issue in any configuration where Pg
had _some_ access to the required certs, via server.crt or root.crt .
Perhaps the original reporter can enlighten us; I've jumped to the
thread for #5245 for that purpose.
--
Craig Ringer
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jasen Betts | 2010-05-27 07:56:16 | Re: BUG #5469: regexp_matches() has poor behaviour and more poor documentation |
| Previous Message | Craig Ringer | 2010-05-27 02:55:09 | Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request |