Cannot connect using SSL certificates since version v42.2.9

[pip25]

I'm submitting a ...

• bug report
• feature request

Describe the issue
Connecting using the "cert" method specified in pg_hba.conf succeeds with the below certificates up to v42.2.8, but fails in higher versions. The server reports that the certificate is not valid.

Driver Version?
v42.2.9 and higher

Java Version?
JDK 8

OS Version?
Windows 10 (1803)

PostgreSQL Version?
9.4.1

To Reproduce
Set up a PostgreSQL instance with the below certificates, add a hostssl + cert method line to pg_hba.conf. Create a "root" user in the database. Try connecting with this user and no password, using the following connection string (replace localhost if necessary):
jdbc:postgresql://localhost:5432/postgres?sslcert=client.root.crt&sslkey=client.root.key.der&sslmode=require&sslrootcert=ca.crt
In driver versions v42.2.9 and higher, connection fails with a "FATAL: connection requires a valid client certificate" error message.

Expected behaviour
The connection should succeed. It works from psql also with following command:
psql -U root -w "postgresql://localhost:5432/postgres?sslcert=client.root.crt&sslkey=client.root.key.pem&sslmode=require&sslrootcert=ca.crt"

Certificates: (just some self-signed dev certs for convenience):

root.crt, ca.crt (used with different names in the server and client config)

-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIQNV2K5MaLBhJCtGXkHeaO2TANBgkqhkiG9w0BAQsFADAr
MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0x
OTA5MDMwODQxMTVaFw0yOTA5MTEwODQxMTVaMCsxEjAQBgNVBAoTCUNvY2tyb2Fj
aDEVMBMGA1UEAxMMQ29ja3JvYWNoIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAx1Pol3bTLyH40ta9XDmZDu2jNNuGdYF2JRKuTa4cB3J0KUfMaREJ
yKZ03Gvo93ZRY1/lMeUAyD9EcgIYLKfZKuJqjr/ProfFDIuFmV3zIdUxpGmgYhka
chz78vet6AoEY6kvY7soDOHy7CAyRWr3ZR6yOl0Aan+DPHa/JLYw/HvXAct1sdbZ
6DhanhTtOfuC8jfE+wV0p0desCa3IkWPFY+u/JXltcosrN+ja/tIBGJaGJAWRaRl
3DGHfFkiRD/3kClHK0wObfXN8ZJPFTlFUxFguTc0uXpFrG00OnJiqCAGnLa9PFYY
u4CX4FwcIRtWcGKAmvlNOU7lsm0y2eZigQIDAQABoyYwJDAOBgNVHQ8BAf8EBAMC
AuQwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAQEAtpdxs1bU
qDommc2gndVk6pm7/M/OvA/x2rJY9TN686s55aHZB94a2QdGuDJLlXutdoz7x9XH
lwCAC2rTExmcMyWtLCozgFS0yyw7hH90x97khBIygSwrn6C4IyZrR/G3W2Zq2fjt
/cco2WRpI3qipv5+L2jH8hQWazyEFY7j/kpwxkPh2BW6wczDE3NAhWvoIG+qegMO
y2R/fFY9u1xVH13NCTnkoxVv0N/qDn6N+w6suc+GTx88LTmCAECWRas+V/bvaAH0
XbCWF9VQ5xgJPMVZ6PVAdjiZKFG9M+xfifpPC34NTYJplXQLljHLnP9GMbroOm4I
MJs0wHfzEiamTQ==
-----END CERTIFICATE-----

server.crt

-----BEGIN CERTIFICATE-----
MIIDKTCCAhGgAwIBAgIQQPcp49O9ve/uO1v45iH5bjANBgkqhkiG9w0BAQsFADAr
MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0x
OTA5MDMxMDA4MzhaFw0yNDA5MDcxMDA4MzhaMCMxEjAQBgNVBAoTCUNvY2tyb2Fj
aDENMAsGA1UEAxMEbm9kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMkLm3IdSJhgQDoFzqgwYqGJ6w6MVaI2F5Bvbq/FnF90GSlZUWtYd14qpk10Dlb0
vaVrq2c29t1WCmPhR+4fXvbJk3W0ASyOSTprcI5jem01RVmjBXidtXvxAjaasG2N
IYR8ZOWdCN3PKQWnReZb6Mj1zOwXKS2wjw9Hb1Ar9K4GA7j/qXU4LVN9HqsGP449
7t7hR48CafCbei+CXFyw2goGvvJiI44BYm3ca4pwcjDnAryQ7J0nkKrJpmT/6tRs
rNu3u33nvKT+96k+U3dD6wy9KI1XM2ozevSj371rzbiQP5bKKq/Vkh8dFRLrb8z1
AWgD3tb/gsvPVEkcS0YaiUECAwEAAaNRME8wDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAeBgNVHREEFzAVgglsb2NhbGhvc3SC
CGF1dGhjZGIxMA0GCSqGSIb3DQEBCwUAA4IBAQCwb3XIIInm6gZiKTXZjXtK6Sey
IoV/v6IRhg5krCo1uQ3ozMjXc+g8w5dfebsBPK1kTaSEcUpqXkOZXuNJm3lSR1hr
535O3u8PVTNOWHDcN2eCR7YwWxePn5HcrYIb9KQ3o7+zBKB2Scwp538lDtmQyxnA
5ufKwIB96Skj0rj80Cho+Us03WTVWnZvtCz3yfg84lhxTaSOLMv9981HTeFkW6yC
6kVFtlZB7wWUAGE5ks8fU286W8UWhdWnXRET+jz2LIym/HSvI+W5zGIJx41vE/ZQ
0n4yu1Up2cHwY5VgtyDQTfKLYpNpkzATerwrM44F+LvUSDIPoMVltXloAzTh
-----END CERTIFICATE-----

server.key

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyQubch1ImGBAOgXOqDBioYnrDoxVojYXkG9ur8WcX3QZKVlR
a1h3XiqmTXQOVvS9pWurZzb23VYKY+FH7h9e9smTdbQBLI5JOmtwjmN6bTVFWaMF
eJ21e/ECNpqwbY0hhHxk5Z0I3c8pBadF5lvoyPXM7BcpLbCPD0dvUCv0rgYDuP+p
dTgtU30eqwY/jj3u3uFHjwJp8Jt6L4JcXLDaCga+8mIjjgFibdxrinByMOcCvJDs
nSeQqsmmZP/q1Gys27e7fee8pP73qT5Td0PrDL0ojVczajN69KPfvWvNuJA/lsoq
r9WSHx0VEutvzPUBaAPe1v+Cy89USRxLRhqJQQIDAQABAoIBAQCVQ2Hgom8wel2U
9pTM+EdyKaRzw6scaM6r9J+YLr3/fIHl2iOB8EeHiWC5Jo4y7zgSJdM3KW61O9kw
+KRf3biyv0wU2lT40Jb7oaMKhD7z79YSS9+XAngokfITult8qoiVBYofk6xuigyp
3twdwGUfNqczLarr+ibssBuryUa7H/kAyA6qJzvonMCgqAbB+CWvTCzqD35oBvBq
Uc4EN7wCVj9u4anqSY8WpE3yGsxil6EgMjDQUs6zxm/RwoEDHQNZn01f9Lc1cV6w
rPPjskN2TiDz0ozczOxeQZcvHNQ3AxG0lpklRpOfEQopQmJXbw4vJFcQ/2DqAe3s
EDkcu72VAoGBANvjcvZNjeZQ6QeJG4fMtAUreayci5VB6bVNn+HZQz2Qgbf+11IU
/jrKdrJD+CdDl9m+qZHW8hB8RCrJDWc+bjzUqCRy+NimZoqzoblvze+dYRhAxThG
kxBe8M3HloELZS+lp56CFzsBJ/ExM1lvgB8EsU+BdGXMRvF6egVk3n2zAoGBAOoP
9IeUYAN3UCpcRvkMi2oIVWpvv/SVlI+oUcZVik4mKG81fgzTbky0BWQia7HLU4dL
7sSKM0vMBgY2WtTVTZ+PbPO+7CNYYHR7nTgzt+EdaVYsyLHzzsB8QYdQyRogY70a
sUiGJ/udMZ+Ct8S97mmLgs4a7LocEit1R7bXL6s7AoGAeeFayZc3PiA+6kRfFCis
5+ivKrQi0nqUdkAujNsGYEuG+1uwMfkc6a1rmWf/VpQqyTDbgNDpn6Whiy2h1kZO
iD0/beSkdkHVuK/UxppoRZawSOct6gGEZqCZTRaCH8kXLw/dFwj4o2YCo7gnxDz/
gTHyriUNRZezAwpmNDMy9+0CgYBflTJrp3jqEXBITDSjga7xFwQimg4OiIMJg1gZ
oVcAgO6kM3kNLc5uPlmxQakvCvRKXQTdd/5opqGTKeE/5vdzAHQiucXezTleeBiF
GgGuSX95tIIkwYad7mAoLSJiq/VvBRZ+omJziwb3t77p9hIFQfahyjb/7XSyEIu/
q/KIfwKBgQCsLM9QpmKRrFGrOF1y6EMN0qIbJTvJm3JgjGHaeMPv6kjoy6CxdlRm
W+Y6Gn02idDIowSdUpBXdAamKFIu2AQtMBjjcGDWj2osvs7bitXPHV5N/9i5ipaC
6KoTwOWrjxxdqo+SWlsbee0Vk7THTIw+p9xte5alRE001WXcqhPapA==
-----END RSA PRIVATE KEY-----

client.root.crt

-----BEGIN CERTIFICATE-----
MIIC/zCCAeegAwIBAgIQLUJNhKkaQsy3OW/RCY3FkDANBgkqhkiG9w0BAQsFADAr
MRIwEAYDVQQKEwlDb2Nrcm9hY2gxFTATBgNVBAMTDENvY2tyb2FjaCBDQTAeFw0x
OTA5MDMwODQzMDBaFw0yNDA5MDcwODQzMDBaMCMxEjAQBgNVBAoTCUNvY2tyb2Fj
aDENMAsGA1UEAxMEcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AM+JhtDZIn39pfy1ErauxuFpOUMNLRZfeg6IuRSJ82x2w/CexlJKbXZwj9NT9+Qq
YQz+u0zbfLlZuxfnMv4Rqo9mG2OOmB34dtDlPa5Zy38SvQ+yXyD3MMmlIYLlpL67
b9u9pei4DjHL241HN6bn4S7NvssrIxeuJfshFce9haS/pwLd4/lqjbXKq7drA+VJ
DiuZMK0CBWK13tnAHMZVBtwGI1Y0wOUqQSemYY/7IP18N5A4oPaCBzKzqTXC+2WF
zXGIjRrQHbS4yjE7b6rP7CyTnco2jC8rHKGZF5NRlfKhVp8oKaJsNF/PXwQ0GQWD
w5B3nYxstm9W7haoTNOkgzkCAwEAAaMnMCUwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
JQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQCu3p1cyjwKn/z9NXMl
WIKIHtG/iHwvkZvjygSH7VTemyGMmzhbEtTmCW1gRyLC+BYr+tPKZQfvKsddd3C3
QV5ZT2EQwGS0ZCvV2lOEcUJcUCd56ym6UJXdOdOk3/rPNbbtEtHXkNVpQNcmnaMR
kn69wUm37qtCkEIrwgyghU7FH1jfnrirvyc0oMPikIDLlEu6lPgg2yOr3LImO1Np
/WjPhDFFeSFY2k/VTYxLhyX79ibeGZuKGiLOX9UoHtD4buwmbu9ZQT6/x7TyzUaJ
EgM2tLZOS39fu69JI0ZsNuhmiZFTZVlBRu91Hw6ScEQNsVKd9rHVwFkf74UXBG0k
ygcq
-----END CERTIFICATE-----

client.root.key.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAz4mG0Nkiff2l/LUStq7G4Wk5Qw0tFl96Doi5FInzbHbD8J7G
UkptdnCP01P35CphDP67TNt8uVm7F+cy/hGqj2YbY46YHfh20OU9rlnLfxK9D7Jf
IPcwyaUhguWkvrtv272l6LgOMcvbjUc3pufhLs2+yysjF64l+yEVx72FpL+nAt3j
+WqNtcqrt2sD5UkOK5kwrQIFYrXe2cAcxlUG3AYjVjTA5SpBJ6Zhj/sg/Xw3kDig
9oIHMrOpNcL7ZYXNcYiNGtAdtLjKMTtvqs/sLJOdyjaMLyscoZkXk1GV8qFWnygp
omw0X89fBDQZBYPDkHedjGy2b1buFqhM06SDOQIDAQABAoIBAQC0ZGD3xdTyWHhf
6PBkNBUQt0qbmqdXLBRG79aYILSi0bTMwOW3f5QYAA0z7mepPqDvD7e0PY/y+Cjk
xQSQzMBJNsKVzcsxOdflCW2Mz+ZPBPWq4CtJ1zLkAxHW2k9RrlCzWuwMFXfZFs42
xfF8tU8JRLMTm+I74haHa6Gn5Xd108PRgL+P2PHmS5f3WvIp0d6iSPXMRu8Guz9M
ap9EMQ2BVEqEHXsspG5cFmXga7WP/uNlOVtFTEKIvP9+cIB6wEv5ND1auccT+h40
q9vPlsTFB/h3Ibdtw25PDFBqpiMU9GUJt5XB3tooNWd4EwzeTLofBBTLbi6wb5yC
ffJo8NZFAoGBAOoT80Zo0VDuV3C4Znoy7sGM0mnzyLBtviCoMSoshsFU5BjhUBH8
XpQ5EKA6urbf8rmCb5eeiHZU9uY8DM2xE5rCMt2iaMwhfbsyNul0jlZe9oxqaZiL
wYVko1cEA5xF2HK8fYABvShoXOg5lG9G3irlWn4PE5H4OlwKvEvs1tdHAoGBAOL5
QlMIq9ETOuI3uSdFOsWdmvkWKlIRm1ChtfBdFy3NaS5t3V2gRNena1YsuOKJn9ty
iFoxKZNupw8iEVJLNPbSntvH/K1drMql5s/19CAMUb8UcdDMfPbKqDcf9F7yUEWG
mZsVRMAV2K+LPh3ogXQtqu1ZEX+udCZKDb/THBF/AoGAfqJiZ0IHk3AN8BZiolNx
pVZI8zcG6KPGSyaSyo0iLe9+IxOp3MEabbfdjcGYB51qVAAD3RPQIaxfkjkEeDcH
Mx9Co3LcnSq1OZO172C2LHXdjiN3kyZwgHjsgQPT7DRBH/lnL9xA+F5VfPDBo93E
DZLc/PutC7gt4mOQcMblh7sCgYEAkrjou/5l+0CAFw5IfW9OP8LTFGPUtbq1+Rig
ISI8Qpp/fMj+iXB6MCIEy+8bES5ADT7rj8oqAylLiwfNxLHjKg8bLB4KZBOjCFjY
bOSkjDcKfQf9TylxOqPku8XHVb00UM1i7JKCH92/djL/05uiW3TOAqJKIoymfr3u
R2tzwIcCgYBAB5GnivWwlG/sq3Wb32PxosEl/ZWWLJvbxrgKshvWWPb46IQr6ziI
ve+qLqXDYB+Pf/3bZyF87So8TMmScrRjWSUnecDdBdnmcSSLda+r9aPFgMFxqxy3
AwLs8ouFqQfOctl21iS1HX4kTHYnGpatbM58PfLUOHCD1moWsyYl7A==
-----END RSA PRIVATE KEY-----

(I can't add the DER format key since it's a binary file, but it is fairly straightforward to convert the PEM key to DER.)

[davecramer]

There are multiple tests that are run in travis that dispute this claim.

See https://github.com/pgjdbc/pgjdbc/tree/master/certdir for how to create the certs
see https://travis-ci.org/github/pgjdbc/pgjdbc/jobs/705079767

For passing tests.

[pip25]

@davecramer, it is more than possible that some SSL certificates continue to work. It's just that according to my testing, the ones I included above used to work, but no longer do. (They actually fail not just with PostgreSQL, but also with CockroachDB which uses the same protocol.) The only thing I need to change to get the connection working again is to roll back to a version prior to v42.2.9.

I'll also give the good* cert files in your above link a try as soon as I'm able to check if those work on my setup.

[pip25]

@davecramer
Actually, there was no need, I've found the problem.

In 82c2008, the LibPQFactory constructor was modified to tweak the initialization based on the extension of the client key file. If the file name ends with "pk8" or "pk12", it is set up properly, my certificates also work after a name change - however, if the extension does not match either of these, both the key and the client certificate are silently ignored, and the KeyManager field (km) apparently remains uninitialized.

While the documentation does state that the SSL key needs to be in PKCS_8 DER format, it does not mention that the "pk8" (or "pk12") extension is required. (And indeed, it did not matter prior to v42.2.9.) So for backwards compatibility reasons, I'd suggest checking the extension for "pk12" keys only, and falling back to PKCS_8 processing if it doesn't match. (If there's no other, more generic way to tell the two key formats apart.)