Re: SSL connection failure

On Thu, 31 Mar 2011 11:36:34 -0400, David Patricola wrote:
> I got a much better error message finally! ColdFusion's debug output
> provided me with a much better message. The lines that say "unable
> to find
> valid certification path to requested target" are the biggest help,
> but I'm
> importing server.crt into the default cacerts file under
> E:\Jrun4\jre\lib\security, so is there some configuration I'm
> missing?
>
>
>
> ===========================================================================
> org.postgresql.util.PSQLException: The connection attempt failed.
> at
>
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:136)
> at
>
> org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:
> 65)
> at
>
> org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.
> java:116)
> at
>
> org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.
> java:30)
> at
> org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
> at org.postgresql.Driver.makeConnection(Driver.java:369)
> at org.postgresql.Driver.connect(Driver.java:245)
> at
>
> coldfusion.server.j2ee.sql.pool.JDBCPool.createPhysicalConnection(JDBCPool.j
> ava:589)
> at
>
> coldfusion.server.j2ee.sql.pool.ConnectionRunner$RunnableConnection.run(Conn
> ectionRunner.java:67)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> valid certification path to requested target
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
> at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1591)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
> at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
> at
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:975)
> at
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshake
> r.java:123)
> at
>
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
> at
>
> com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
> at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884
> )
> at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocket
> Impl.java:1096)
> at
>
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:62
> 3)
> at
>
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
> at
>
> java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
> at org.postgresql.core.PGStream.flush(PGStream.java:532)
> at
>
> org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFac
> toryImpl.java:243)
> at
>
> org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFa
> ctoryImpl.java:91)
> ... 9 more
> Caused by: sun.security.validator.ValidatorException: PKIX path
> building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> to find valid certification path to requested target
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:285)
> at
>
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:191)
> at sun.security.validator.Validator.validate(Validator.java:218)
> at
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerI
> mpl.java:126)
> at
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:209)
> at
>
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509Tru
> stManagerImpl.java:249)
> at
>
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandsh
> aker.java:954)
> ... 21 more
> Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target
> at
>
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBui
> lder.java:174)
> at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:280)
> ... 27 more
>
> -----Original Message-----
> From: Maciek Sakrejda [mailto:msakrejda(at)truviso(dot)com]
> Sent: Wednesday, March 30, 2011 4:55 PM
> To: David Patricola
> Cc: pgsql-jdbc(at)postgresql(dot)org
> Subject: Re: [JDBC] SSL connection failure
>
>> After restarting java services, I retest the datasource connection
>> (jdbc:postgresql://x.x.x.x/main?ssl) and get the fail message
>> "org.postgresql.util.PSQLException: The connection attempt failed."
>> with
> no
>> details in any logs to provide details. The connection works
>> without ssl
>> fine.
>
> In addition to Dave's suggetion, have you configured driver-level
> logging to check what's going on there? See loglevel connection
> parameter and DriverManager.setLogWriter().
>
> ---
> Maciek Sakrejda | System Architect | Truviso
>
> 1065 E. Hillsdale Blvd., Suite 215
> Foster City, CA 94404
> (650) 242-3500 Main
> www.truviso.com

Hi,

I think it's not PG JDBC driver problem, I found such URL parameter
that may help sslfactory=org.postgresql.ssl.NonValidatingFactory (if it
doesn't changed), but in addition I would like to give You some other
hints:
1. If You run driver in server environment then system keystore may not
be enough. Actually, common servers like Tomcat, or Glassfish provides
its own keystore and castore located somewhere in server directory, much
more this store may not be standard, desktop JKS keystore, but NSS
keystore, and importing certs there requires other tools.
2. You need to put certificate as trusted, and/or if certificate has
parent(s), then all those should be trusted, too.
3. Sometimes You need to provide keystore/truststore password by adding
-D system property to JVM launch path, not all servers gives ability to
open keystore by using SSL sockets.

Regards,
Radosław Smogura
http://softperience.eu