-
Notifications
You must be signed in to change notification settings - Fork 819
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect using SSL certificates since version v42.2.9 #1819
Comments
There are multiple tests that are run in travis that dispute this claim. See https://github.com/pgjdbc/pgjdbc/tree/master/certdir for how to create the certs For passing tests. |
@davecramer, it is more than possible that some SSL certificates continue to work. It's just that according to my testing, the ones I included above used to work, but no longer do. (They actually fail not just with PostgreSQL, but also with CockroachDB which uses the same protocol.) The only thing I need to change to get the connection working again is to roll back to a version prior to v42.2.9. I'll also give the good* cert files in your above link a try as soon as I'm able to check if those work on my setup. |
@davecramer In 82c2008, the LibPQFactory constructor was modified to tweak the initialization based on the extension of the client key file. If the file name ends with "pk8" or "pk12", it is set up properly, my certificates also work after a name change - however, if the extension does not match either of these, both the key and the client certificate are silently ignored, and the KeyManager field (km) apparently remains uninitialized. While the documentation does state that the SSL key needs to be in PKCS_8 DER format, it does not mention that the "pk8" (or "pk12") extension is required. (And indeed, it did not matter prior to v42.2.9.) So for backwards compatibility reasons, I'd suggest checking the extension for "pk12" keys only, and falling back to PKCS_8 processing if it doesn't match. (If there's no other, more generic way to tell the two key formats apart.) |
check for the most common PKCS-12 extensions (.p12, .pfx) and assume PKCS-8 if these do not match closes pgjdbc#1819
I'm submitting a ...
Describe the issue
Connecting using the "cert" method specified in pg_hba.conf succeeds with the below certificates up to v42.2.8, but fails in higher versions. The server reports that the certificate is not valid.
Driver Version?
v42.2.9 and higher
Java Version?
JDK 8
OS Version?
Windows 10 (1803)
PostgreSQL Version?
9.4.1
To Reproduce
Set up a PostgreSQL instance with the below certificates, add a hostssl + cert method line to pg_hba.conf. Create a "root" user in the database. Try connecting with this user and no password, using the following connection string (replace localhost if necessary):
jdbc:postgresql://localhost:5432/postgres?sslcert=client.root.crt&sslkey=client.root.key.der&sslmode=require&sslrootcert=ca.crt
In driver versions v42.2.9 and higher, connection fails with a "FATAL: connection requires a valid client certificate" error message.
Expected behaviour
The connection should succeed. It works from psql also with following command:
psql -U root -w "postgresql://localhost:5432/postgres?sslcert=client.root.crt&sslkey=client.root.key.pem&sslmode=require&sslrootcert=ca.crt"
Certificates: (just some self-signed dev certs for convenience):
root.crt, ca.crt (used with different names in the server and client config)
server.crt
server.key
client.root.crt
client.root.key.pem
(I can't add the DER format key since it's a binary file, but it is fairly straightforward to convert the PEM key to DER.)
The text was updated successfully, but these errors were encountered: