Sorry, correction for the openssl command output: $ openssl s_client -connect 172.21.32.4:5432 -starttls postgres Connecting to 172.21.32.4 CONNECTED(00000003) Can't use SSL_get_servername depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 verify return:1 depth=1 C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 07 verify return:1 depth=0 C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN= c1fba9900d4d.database.azure.com verify return:1 --- Certificate chain 0 s:C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN= c1fba9900d4d.database.azure.com i:C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 07 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384 v:NotBefore: Feb 25 14:04:55 2025 GMT; NotAfter: Aug 24 14:04:55 2025 GMT 1 s:C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 07 i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384 v:NotBefore: Jun 8 00:00:00 2023 GMT; NotAfter: Aug 25 23:59:59 2026 GMT 2 s:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 i:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Aug 1 12:00:00 2013 GMT; NotAfter: Jan 15 12:00:00 2038 GMT --- Server certificate -----BEGIN CERTIFICATE----- MIIJAjCCBuqgAwIBAgITMwFrt0ld3qCMMByM7wAAAWu3STANBgkqhkiG9w0BAQwF ADBdMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u MS4wLAYDVQQDEyVNaWNyb3NvZnQgQXp1cmUgUlNBIFRMUyBJc3N1aW5nIENBIDA3 MB4XDTI1MDIyNTE0MDQ1NVoXDTI1MDgyNDE0MDQ1NVowdjELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv ZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH2MxZmJhOTkwMGQ0ZC5kYXRhYmFzZS5h enVyZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2DAq18XNN Z/Jmmi7CLNlwEmTXGqAU9O+mNSjoQdFXNkw+CsyvPgohhBv35R/iN0Km8r3MV793 +RgORhpj6I/0nEOTeIJwVZIjSAEO+BDnCcn58vcCNqyES0QJ9IcVFYpu9jT19mAb kvKjbcNbyJX4rKHwToXaDlxOTvaQMESci6XbY1Ixwd5MJHRUyg8c6+RbN1emA1Vm pMPukdlaCZlH9HnD/IXcY/EUJXoQxfYJPupDH5BefQrazwHgF8vCJ9tNuxk/8tu4 leTiQxth6liveloD5QvfEEffgo9kzgT6hGVbi7Rc0u52i1nij3nFlGQAWOCYfr3A 0dAS5vYug7WhAgMBAAGjggSgMIIEnDCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFn AHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGVPXYAAAAABAMA RzBFAiBWJCHBbRAlwMXXEkTLba2Pzp1N8MR4ANBkmP9lgsw0SAIhAKOwOq+62T+g 0BgnVC4EEAC2jqjNPLxHdjZOogDiKQaLAHUAfVkeEuF4KnscYWd8Xv340IdcFKBO lZ65Ay/ZDowuebgAAAGVPXYAmgAABAMARjBEAiAKgJP9C2rqQVsRmN2n2qERvQcc xisnOO41cSr7d1oYTQIgLl7B30ElHd+81o3+jd4WoBTE2lmRUFPqmH3aGBEFoZEA dgAaBP9J0FQdQK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZU9dgDWAAAEAwBH MEUCICtDLEVHUfSi+PZ8jOTyBvRSbfj06loyvD2V66cOpYcfAiEAnPy1VHyO+SlE ygBp6CyUdAj5G7dPCQYzfAqy2HFiv3wwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEF BQcDAjAKBggrBgEFBQcDATA8BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiHvdcb gefrRoKBnS6O0AyH8NodXYKr5zCH7fEfAgFkAgEtMIG0BggrBgEFBQcBAQSBpzCB pDBzBggrBgEFBQcwAoZnaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9j ZXJ0cy9NaWNyb3NvZnQlMjBBenVyZSUyMFJTQSUyMFRMUyUyMElzc3VpbmclMjBD QSUyMDA3JTIwLSUyMHhzaWduLmNydDAtBggrBgEFBQcwAYYhaHR0cDovL29uZW9j c3AubWljcm9zb2Z0LmNvbS9vY3NwMB0GA1UdDgQWBBTNtIVCLokZd4K37tTOK5Lu JI5hXzAOBgNVHQ8BAf8EBAMCBaAwgakGA1UdEQSBoTCBnoIyY2NnLWRldmVsb3At cG9zdGdyZXNxbC5wb3N0Z3Jlcy5kYXRhYmFzZS5henVyZS5jb22CR2YxYjhmMGMw OTA2YS5jY2ctZGV2ZWxvcC1wb3N0Z3Jlc3FsLnByaXZhdGUucG9zdGdyZXMuZGF0 YWJhc2UuYXp1cmUuY29tgh9jMWZiYTk5MDBkNGQuZGF0YWJhc2UuYXp1cmUuY29t MAwGA1UdEwEB/wQCMAAwagYDVR0fBGMwYTBfoF2gW4ZZaHR0cDovL3d3dy5taWNy b3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwQXp1cmUlMjBSU0ElMjBU TFMlMjBJc3N1aW5nJTIwQ0ElMjAwNy5jcmwwZgYDVR0gBF8wXTBRBgwrBgEEAYI3 TIN9AQEwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3Br aW9wcy9Eb2NzL1JlcG9zaXRvcnkuaHRtMAgGBmeBDAECAjAfBgNVHSMEGDAWgBTO FRY76gKjpmva2Sv95YxSvnpQqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH AwEwDQYJKoZIhvcNAQEMBQADggIBAHIlDqGGk6NsNXDVyXsheLN7L9FP4tHjdiwy +GSPgrrb5lWuqTjFWdzYokm0RW/Ez0JX2aq88BueTGUNw6XO9pq/KD44OD8VClJH WeW3NhCKn901uyV9rUMrNZ37oPlM53NP6zkC1qfOy4sLG5UHr+Ne532W0mtVga5K YeeufReC/1Ze/3xZQ6iTxrt39urvDhIpVQZap3GUwTEqiOH6T+kp8DnuwpScLTBB B9HmMModtysYLRH8Gl4jTyLfCdI+hfOavESLev8F+jmgIyEOvHH5bWf/N1Lp2NaE LdbJ5pMcACzkcG71TTUGhrDums4ukng9ggJ+jQ+dS7n5eXVF+H7GbA1bj+wKq8UB dXEHinaPin4Xer4KqKMV62lHclEMQzvzI6KH9OT4+wKi6dZ78MVmCvJJJsZKk0dP dfnK6/Nbw5khDPXqEvQru86cRU0KGrUuKOCF0yeeXMc1kyU4O6cAhScMwbQ+WXTN TpSflR4NK4+QIoc9yShP9oAQV4uvAO8WtH5fzWYKyuY4oPJlyecLXzfo1Ll+vipx DaOc/pNY6WUKNz3b4qRSP8iPArvyi8ZSRn7so1Dsuk9+225cs67WQKnA05YZc1hO S3PVFN2225qZ0NLxAFQbDp5zb9QWFOpylzwYXW1+FNzpM1RDTL6us5kn3Ip4F+FY HQ8wk+6o -----END CERTIFICATE----- subject=C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN= c1fba9900d4d.database.azure.com issuer=C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 07 --- Acceptable client certificate CA names DC=GBL, DC=AME, CN=AME INFRA CA 01 DC=GBL, DC=AME, CN=AME Infra CA 02 DC=GBL, DC=AME, CN=AME Infra CA 03 DC=GBL, DC=AME, CN=AME Infra CA 04 DC=GBL, DC=AME, CN=AME Infra CA 05 DC=GBL, DC=AME, CN=AME Infra CA 06 CN=AME G1 TLS RSA 2048 SHA256 2024 CUS CA 07 CN=AME G1 TLS RSA 2048 SHA256 2024 EUS2 CA 07 CN=AME G1 TLS RSA 2048 SHA256 2024 EUS2EUAP CA 07 CN=AME G1 TLS RSA 2048 SHA256 2024 WCUS CA 07 CN=AME G1 TLS RSA 2048 SHA256 2024 WUS2 CA 07 CN=MSIT CA Z2 C=US, O=Microsoft Corporation, CN=MSFT BALT RS256 CA C=US, O=Microsoft Corporation, CN=MSFT RS256 CA-1 C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 03 C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 04 C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 07 C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08 C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1 C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 03 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 04 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 07 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 08 C=US, O=Microsoft Corporation, CN=Microsoft ECC TLS Issuing AOC CA 01 C=US, O=Microsoft Corporation, CN=Microsoft ECC TLS Issuing AOC CA 02 C=US, O=Microsoft Corporation, CN=Microsoft ECC TLS Issuing EOC CA 02 C=US, O=Microsoft Corporation, CN=Microsoft ECC TLS Issuing EOC CA 01 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing EOC CA 01 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing AOC CA 01 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing AOC CA 02 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing EOC CA 02 C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certificat ion Authority - L1K C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2014 Entrust, Inc. - for authorized use only, CN=Entrust Certificat ion Authority - L1M CN=CCME G1 TLS RSA 2048 SHA256 2049 CUS CA 01 CN=CCME G1 TLS RSA 2048 SHA256 2049 EUS2 CA 01 CN=CCME G1 TLS RSA 2048 SHA256 2049 EU2C CA 01 CN=CCME G1 TLS RSA 2048 SHA256 2049 WCUS CA 01 CN=CCME G1 TLS RSA 2048 SHA256 2049 WUS2 CA 01 DC=GBL, DC=AME, CN=ameroot CN=Microsoft Internal Corporate Root C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3 C=US, O=Microsoft Corporation, CN=Microsoft ECC Root Certificate Authority 2017 C=US, O=Microsoft Corporation, CN=Microsoft RSA Root Certificate Authority 2017 C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Author ity - G2 C=US, O=Microsoft Corporation, CN=Commercial Cloud Root CA R1 Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PS S+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512 :RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 9903 bytes and written 749 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit This TLS version forbids renegotiation. No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
But then psql fails: $ psql "postgresql://postgres:password12345!!@ 172.21.32.4:5432/postgres?sslmode=require" psql: error: connection to server at "172.21.32.4", port 5432 failed: FATAL: password authentication failed for user "postgres"
