| From: | Jacob Champion <jacob(dot)champion(at)enterprisedb(dot)com> |
|---|---|
| To: | Thomas Spear <speeddymon(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: TLS certificate alternate trust paths issue in libpq - certificate chain validation failing |
| Date: | 2024-04-30 22:19:37 |
| Message-ID: | CAOYmi+mXOv1XwAhwf_WCd+_4F8q_F_0dN=_CBfT6zi6QhTigtg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Apr 30, 2024 at 2:41 PM Thomas Spear <speeddymon(at)gmail(dot)com> wrote:
> The full details can be found at github.com/pgjdbc/pgjdbc/discussions/3236 - in summary, both jdbc-postgres and the psql cli seem to be affected by an issue validating the certificate chain up to a publicly trusted root certificate that has cross-signed an intermediate certificate coming from a Postgres server in Azure, when using sslmode=verify-full and trying to rely on the default path for sslrootcert.
Hopefully someone more familiar with the Azure cross-signing setup
sees something obvious and chimes in, but in the meantime there are a
couple things I can think to ask:
1. Are you sure that the server is actually putting the cross-signed
intermediate in the chain it's serving to the client?
2. What version of OpenSSL? There used to be validation bugs with
alternate trust paths; hopefully you're not using any of those (I
think they're old as dirt), but it doesn't hurt to know.
3. Can you provide a sample public certificate chain that should
validate and doesn't?
Thanks,
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nathan Bossart | 2024-05-01 00:57:30 | pg_sequence_last_value() for unlogged sequences on standbys |
| Previous Message | Thomas Spear | 2024-04-30 21:40:50 | TLS certificate alternate trust paths issue in libpq - certificate chain validation failing |