Re: [BUGS] BUG #5245: Full Server Certificate Chain Not Sent to client

Wed, 26 May 2010 19:57:04 -0700 

On 15/12/09 23:35, Brian Krug wrote:


The following bug has been logged online:

Bug reference:      5245
Logged by:          Brian Krug
Email address:      bk...@usatech.com
PostgreSQL version: 8.4.1
Operating system:   Solaris 10
Description:        Full Server Certificate Chain Not Sent to client
Details:

I setup a postgres server with hostssl connections (in pg_hba.conf) and
clientcert=1 option. Then I setup a Java client to connect to it with the
postgres jdbc driver (version 8.4-701.jdbc4). I setup the server.key,
server.crt and root.crt files on the server. The server.crt file is a
certificate chain of 3 entries: the host-specific certificate followed by an
immediate CA certificate followed by our company's root CA certificate. I
put the root CA certificate into the truststore of the java client and I
enable full ssl debug logging in the java client with -Djavax.net.debug=ssl.
When I attempt a connection, my java client rejects the server's certificate
reporting "SunCertPathBuilderException: unable to find valid certification
path to requested target". When I look at the ssl debug logging, I realize
that the server has only sent the first certificate (it's own) and not the
full certificate chain.



In another thread, Tom Lane wrote:

> I'm still a bit mystified about bug #5245 though.  I can see two
> possible explanations for that one:
>
> 1. The reporter was wrong about which server version he was using;
> pre-8.4 servers would in fact not send the whole cert chain, cf
> http://archives.postgresql.org/pgsql-committers/2009-05/msg00195.php
>
> 2. The reporter was wrong about the actual cause of his problem, and
> despite his description, the true reason his Java client was failing
> was the lack of SSL_CTX_set_client_CA_list().
>
> Anyway, as far as I can tell the case described there works now.


Yep. I wasn't able to reproduce that issue in any configuration where Pg 
had _some_ access to the required certs, via server.crt or root.crt .



Perhaps the original reporter can enlighten us; I've jumped to the 
thread for #5245 for that purpose.


--
Craig Ringer

--
Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs






















					Reply via email to