On Tue, Apr 30, 2024 at 2:41 PM Thomas Spear <speeddy...@gmail.com> wrote: > The full details can be found at github.com/pgjdbc/pgjdbc/discussions/3236 - > in summary, both jdbc-postgres and the psql cli seem to be affected by an > issue validating the certificate chain up to a publicly trusted root > certificate that has cross-signed an intermediate certificate coming from a > Postgres server in Azure, when using sslmode=verify-full and trying to rely > on the default path for sslrootcert.
Hopefully someone more familiar with the Azure cross-signing setup sees something obvious and chimes in, but in the meantime there are a couple things I can think to ask: 1. Are you sure that the server is actually putting the cross-signed intermediate in the chain it's serving to the client? 2. What version of OpenSSL? There used to be validation bugs with alternate trust paths; hopefully you're not using any of those (I think they're old as dirt), but it doesn't hurt to know. 3. Can you provide a sample public certificate chain that should validate and doesn't? Thanks, --Jacob
