SSL connection issue with JDBC

Hi,

Details required:-

JDBC driver build number:- postgresql-9.1-903.jdbc4

Server version:- PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg16.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609, 64-bit

Exact error message and stacktrace:-

org.postgresql.util.PSQLException: The connection attempt failed.
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:150)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:123)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:28)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:20)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:22)
at org.postgresql.Driver.makeConnection(Driver.java:391)
at org.postgresql.Driver.connect(Driver.java:265)
at java.sql.DriverManager.getConnection(DriverManager.java:675)
at java.sql.DriverManager.getConnection(DriverManager.java:219)
at com.utility.PostgresSSL.main(PostgresSSL.java:24)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.j.a(j.java:12)
at com.ibm.jsse2.as.a(as.java:118)
at com.ibm.jsse2.C.a(C.java:193)
at com.ibm.jsse2.C.a(C.java:245)
at com.ibm.jsse2.D.a(D.java:242)
at com.ibm.jsse2.D.a(D.java:56)
at com.ibm.jsse2.C.r(C.java:69)
at com.ibm.jsse2.C.a(C.java:580)
at com.ibm.jsse2.as.a(as.java:512)
at com.ibm.jsse2.as.i(as.java:969)
at com.ibm.jsse2.as.a(as.java:176)
at com.ibm.jsse2.h.write(h.java:36)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:93)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:151)
at org.postgresql.core.PGStream.flush(PGStream.java:521)
at org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFactoryImpl.java:257)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:103)
... 11 more
Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.f.a(f.java:35)
at com.ibm.jsse2.util.f.b(f.java:96)
at com.ibm.jsse2.util.e.a(e.java:19)
at com.ibm.jsse2.aA.a(aA.java:132)
at com.ibm.jsse2.aA.a(aA.java:39)
at com.ibm.jsse2.aA.checkServerTrusted(aA.java:27)
at com.ibm.jsse2.D.a(D.java:110)
... 23 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at com.ibm.jsse2.util.f.a(f.java:49)
... 29 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
... 31 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 36 more

What you were doing, ideally in code form:-

We are working on Connecting to Postgresql database via SSL through Java JDBC. We are not able to establish SSL connection, but non SSL connection is working. Postgresql SSL server has been set up at our end and if we connect to it using pgAdmin4 client we are able to connect to it via SSL but the same is not working in JAVA using JDBC.

In the jave program if we provide the connection string parameter ("sslfactory", "org.postgresql.ssl.NonValidatingFactory"), this property will ignore the certificate validation and connect via SSL, but we want to connect with passing certificates only.

If we try to run the program with certificates in the parameter we get error as posted above.

Code:-

String url = "jdbc:postgresql://<host>:5432/postgres";
Properties props = new Properties();
props.setProperty("user","postgres");
props.setProperty("password","temp4now");
props.setProperty("ssl","true");
props.setProperty("sslcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.crt");
props.setProperty("sslkey", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.key");
props.setProperty("sslrootcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\root.crt");
Connection conn = DriverManager.getConnection(url, props);

If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)
at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)
at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
at org.postgresql.Driver.makeConnection(Driver.java:454)
at org.postgresql.Driver.connect(Driver.java:256)
at java.sql.DriverManager.getConnection(DriverManager.java:675)
at java.sql.DriverManager.getConnection(DriverManager.java:219)
at com.utility.PostgresSSL.main(PostgresSSL.java:23)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at com.ibm.jsse2.j.a(j.java:35)
at com.ibm.jsse2.j.a(j.java:31)
at com.ibm.jsse2.as.b(as.java:806)
at com.ibm.jsse2.as.a(as.java:102)
at com.ibm.jsse2.as.i(as.java:969)
at com.ibm.jsse2.as.a(as.java:680)
at com.ibm.jsse2.as.startHandshake(as.java:859)
at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
... 10 more

I tried to search a lot but was not able to find the solution for this. Let me know which driver to use for this and if anything I am missing in this.

Thanks,
Anup
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.