Re: Allow sslrootcert to accept more than one certificate

Hi Christian,

Sorry for the late reply. Sure a PR would be great!

Dave Cramer
www.postgres.rocks

On Tue, 18 Aug 2020 at 04:15, Christian Schaefer <chrisse(dot)s(at)googlemail(dot)com>
wrote:

> Hello,
>
> I was looking for a way to provide multiple independent trusted
> certificates to the jdbc driver. I came across the parameter sslrootcert.
> This parameter is documented as:
>
> "File name of the SSL root certificate. Defaults to defaultdir/root.crt
>
> It can be a PEM encoded X509v3 certificate"
>
> (see https://jdbc.postgresql.org/documentation/head/connect.html#ssl)
>
> The wording indicates that this parameter accepts only one single
> certificate in defauldir/root.crt (or the file to which sslrootcert points
> to). However, according to the code which is used to build the java
> KeyStore it accepts more than one certificate (as LibPQFactory calls
> java.security.cert.CertificateFactory.generateCertificates(InputStream)).
> Similar to the sslrootcert parameter for libpq the file may contain
> multiple (even independent, i.e. they don't need to build a single chain)
> concatenated PEM encoded certificates.
>
> The documentation for sslrootcert in libpq states:
>
> "
> This parameter specifies the name of a file containing SSL certificate
> authority (CA) certificate(s). If the file exists, the server's
> certificate will be verified to be signed by one of these authorities. The
> default is ~/.postgresql/root.crt
> "
>
> In my opinion adapting the wording in the documentation for sslrootcert in
> the jdbc driver documentation and allow multiple certificates stored in the
> file to which sslrootcert points to makes it also more compatible with
> sslrootcert of libpq.
>
> If my understanding is correct I'm happy to enter an issue or open a PR
>
> Regards,
>
> Christian Schaefer
>