Skip site navigation (1) Skip section navigation (2)

Re: BUG #5245: Full Server Certificate Chain Not Sent to client

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Brian Krug <bkrug(at)usatech(dot)com>
Cc: pgsql-bugs(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>
Subject: Re: BUG #5245: Full Server Certificate Chain Not Sent to client
Date: 2010-05-27 02:56:37
Message-ID: 4BFDDF65.7080603@postnewspapers.com.au (view raw or flat)
Thread:
Lists: pgsql-bugs
On 15/12/09 23:35, Brian Krug wrote:
>
> The following bug has been logged online:
>
> Bug reference:      5245
> Logged by:          Brian Krug
> Email address:      bkrug(at)usatech(dot)com
> PostgreSQL version: 8.4.1
> Operating system:   Solaris 10
> Description:        Full Server Certificate Chain Not Sent to client
> Details:
>
> I setup a postgres server with hostssl connections (in pg_hba.conf) and
> clientcert=1 option. Then I setup a Java client to connect to it with the
> postgres jdbc driver (version 8.4-701.jdbc4). I setup the server.key,
> server.crt and root.crt files on the server. The server.crt file is a
> certificate chain of 3 entries: the host-specific certificate followed by an
> immediate CA certificate followed by our company's root CA certificate. I
> put the root CA certificate into the truststore of the java client and I
> enable full ssl debug logging in the java client with -Djavax.net.debug=ssl.
> When I attempt a connection, my java client rejects the server's certificate
> reporting "SunCertPathBuilderException: unable to find valid certification
> path to requested target". When I look at the ssl debug logging, I realize
> that the server has only sent the first certificate (it's own) and not the
> full certificate chain.


In another thread, Tom Lane wrote:

 > I'm still a bit mystified about bug #5245 though.  I can see two
 > possible explanations for that one:
 >
 > 1. The reporter was wrong about which server version he was using;
 > pre-8.4 servers would in fact not send the whole cert chain, cf
 > http://archives.postgresql.org/pgsql-committers/2009-05/msg00195.php
 >
 > 2. The reporter was wrong about the actual cause of his problem, and
 > despite his description, the true reason his Java client was failing
 > was the lack of SSL_CTX_set_client_CA_list().
 >
 > Anyway, as far as I can tell the case described there works now.

Yep. I wasn't able to reproduce that issue in any configuration where Pg 
had _some_ access to the required certs, via server.crt or root.crt .

Perhaps the original reporter can enlighten us; I've jumped to the 
thread for #5245 for that purpose.

--
Craig Ringer

In response to

pgsql-bugs by date

Next:From: Jasen BettsDate: 2010-05-27 07:56:16
Subject: Re: BUG #5469: regexp_matches() has poor behaviour and more poor documentation
Previous:From: Craig RingerDate: 2010-05-27 02:55:09
Subject: Re: BUG #5468: Pg doesn't send accepted root CA list to client during SSL client cert request

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group