Skip site navigation (1) Skip section navigation (2)

BUG #5245: Full Server Certificate Chain Not Sent to client

From: "Brian Krug" <bkrug(at)usatech(dot)com>
To: pgsql-bugs(at)postgresql(dot)org
Subject: BUG #5245: Full Server Certificate Chain Not Sent to client
Date: 2009-12-15 15:35:12
Message-ID: 200912151535.nBFFZCMW059887@wwwmaster.postgresql.org (view raw or flat)
Thread:
Lists: pgsql-bugs
The following bug has been logged online:

Bug reference:      5245
Logged by:          Brian Krug
Email address:      bkrug(at)usatech(dot)com
PostgreSQL version: 8.4.1
Operating system:   Solaris 10
Description:        Full Server Certificate Chain Not Sent to client
Details: 

I setup a postgres server with hostssl connections (in pg_hba.conf) and
clientcert=1 option. Then I setup a Java client to connect to it with the
postgres jdbc driver (version 8.4-701.jdbc4). I setup the server.key,
server.crt and root.crt files on the server. The server.crt file is a
certificate chain of 3 entries: the host-specific certificate followed by an
immediate CA certificate followed by our company's root CA certificate. I
put the root CA certificate into the truststore of the java client and I
enable full ssl debug logging in the java client with -Djavax.net.debug=ssl.
When I attempt a connection, my java client rejects the server's certificate
reporting "SunCertPathBuilderException: unable to find valid certification
path to requested target". When I look at the ssl debug logging, I realize
that the server has only sent the first certificate (it's own) and not the
full certificate chain.

Responses

pgsql-bugs by date

Next:From: Robert HaasDate: 2009-12-15 15:44:58
Subject: Re: statement_timeout is not cancelling query
Previous:From: Tom LaneDate: 2009-12-15 14:27:35
Subject: Re: BUG #5240: Stable Functions that return a table type with a dropped column fail

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group