Re: ssl connection issues

Hello,

I have been able to replicate this problem and setting

tlsProperties.setProperty(SSL_PASSWORD.getName(),"");

or the correct ssl password should work

Dave Cramer

davec(at)postgresintl(dot)com
www.postgresintl.com

On Thu, 20 Sep 2018 at 08:48, Davis, James A. (LARC-D318)[LITES II] <
james(dot)a(dot)davis-1(at)nasa(dot)gov> wrote:

> From an outside SA view, I have to ask, did you import your cert into the
> JAVA cacerts file?
>
> I see a slew of SSL application problems weekly that are generated by the
> local JAVA installation not
>
> Having any generated/local host certs imported used by developer
> applications. If you have multiple versions
>
> Of java ensure you import your cert into each of their cacerts. This is
> more a problem on windows than linux.
>
>
>
> James Davis
>
> SSAI contractor
>
> Lites II Systems Administrator
>
> NASA Langley Research Center
>
> Hampton, VA. 23666
>
> Office: 757-864-2731
>
> Cell: 757-580-6398
>
>
>
>
>
>
>
> *From: *Gabriele Bulfon <gabriele(dot)bulfon(at)sonicle(dot)com>
> *Reply-To: *Gabriele Bulfon <gabriele(dot)bulfon(at)sonicle(dot)com>
> *Date: *Thursday, September 20, 2018 at 5:16 AM
> *To: *zloster <more(at)edno(dot)moe>, Dave Cramer <pg(at)fastcrypt(dot)com>
> *Cc: *Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>, "
> pgsql-jdbc(at)lists(dot)postgresql(dot)org" <pgsql-jdbc(at)lists(dot)postgresql(dot)org>
> *Subject: *Re: ssl connection issues
>
>
>
> Thanks, I tried enabling all the client debug infos, but didn't get much
> from them.
>
> I will try to create certs from scratch, using the openssl tool instead of
> easy-rsa, and see if something changes.
>
>
>
> Gabriele
>
>
> *-= Sent using Webtop 5 =-*
>
> [image: Image removed by sender.]
>
> *Gabriele Bulfon - Sonicle S.r.l.*
>
> Tel +39 028246016 - Fax +39 028243880
> Strada 6, Palazzo A13 - 20090 - Assago Milanofiori - MI
> http://www.sonicle.com
>
>
> ------------------------------
>
>
>
> *Da:* zloster <more(at)edno(dot)moe>
> *A:* Dave Cramer <pg(at)fastcrypt(dot)com>Gabriele Bulfon <gbulfon(at)sonicle(dot)com>
> *Cc:* Alexander Kjäll <alexander(dot)kjall(at)gmail(dot)com>
> pgsql-jdbc(at)lists(dot)postgresql(dot)org
> *Data:* 19 settembre 2018 9.21.03 CEST
> *Oggetto:* Re: ssl connection issues
>
> On 18.09.2018 18:27, Dave Cramer wrote:
>
>
>
> On Tue, 18 Sep 2018 at 11:23, Gabriele Bulfon <gbulfon(at)sonicle(dot)com> wrote:
>
> The only server cert known to me that is needed to the client is the
> root.crt (the ca cert) of the server used to sign the client cert.
>
> These three files are all that is needed to the odbc driver, to the native
> navicat dll connection, and to any other certs-based ssl connection such as
> openvpn.
>
> Actually the jdbc code is not complaining about the certs (if I remove any
> of them it will complain), something is going wrong during the ssl
> handshake that I cannot understand.
>
>
>
> Is there any way to log more stuff on the server postgres.log about the
> ssl handshake?
>
>
>
> I'm sure there is but I don't know how. The server is not my domain.
>
>
>
> Try connecting with psql. If you can connect with that then JDBC should be
> able to connect.
>
>
>
> Dave Cramer
>
> davec(at)postgresintl(dot)com
>
> www.postgresintl.com
>
> Hi to all,
> IMO it will be better to inspect the SSL/TLS handshake at the client - the
> machine that is initiating the connection to the PostgreSQL server through
> the JDBC driver.
>
> Here are some links with the basic stuff about debugging the SSL/TLS
> connections with the JVM:
>
> 1.
> https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
> - this is an introduction document. It points to the following two pages.
> The first is describing what debug tools are available and the second shows
> how to read the debug output:
>
>
> -
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
> -
> https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
>
>
> 1. https://access.redhat.com/solutions/973783 - same as the above but
> in Q&A style
>
> I've used the debug output once - I've needed to investigate why
> communication with test HTTPS endpoint is working from a browser but not
> from a Java 8 program. After nearly one day of looking at the connection
> logs the problem turned out to be in the certificate chain - the browser
> was happy with the intermediate certificates, but the JVM was not.
>
> Best regards,
> zloster
>
>