Make sure all configuration settings have defaults documented

[davecramer]

Add some missing configuration settings to README
Specify implied default for sslFactory in PGProperty

[maffaan]

Hi @davecramer we were facing issue with sslfactory= org.postgresql.ssl.DefaultJavaSSLFactory and experiencing

FATAL: connection requires a valid client certificate.

Below properties were being used:

props.setProperty("ssl","true"); props.setProperty("sslmode","verify-ca"); props.setProperty("sslcert","/home/edb/postgresql.crt.der"); props.setProperty("sslkey","/home/edb/postgresql.key.pk8"); props.setProperty("sslrootcert","/home/edb/root.crt"); props.setProperty("sslfactory","org.postgresql.ssl.DefaultJavaSSLFactory");

In ssl handshake, client certificate was showing as empty while we are providing client certificate in above property.

javax.net.ssl|FINE|01|main|2023-04-12 05:59:34.237 EDT|CertificateMessage.java:299|No X.509 certificate for client authentication, use empty Certificate message instead javax.net.ssl|FINE|01|main|2023-04-12 05:59:34.254 EDT|CertificateMessage.java:330|Produced client Certificate handshake message ( "Certificates": <empty list> )

As soon DefaultJavaSSLFactory is replaced with LibPQFactory, error was gone and ssl handshake was showing client certificate:

javax.net.ssl|FINE|01|main|2023-04-14 09:14:42.556 EDT|CertificateMessage.java:330|Produced client Certificate handshake message ( "Certificates": [ "certificate" : { "version" : "v1", "serial number" : "00 BF F6 AC 05 14 01 AA 28", "signature algorithm": "SHA256withRSA", "issuer" : "CN=localhost, OU=DEV, O=EDB, L=Islamabad, ST=Federal, C=PK", "not before" : "2023-04-11 04:32:54.000 EDT", "not after" : "2023-05-11 04:32:54.000 EDT", "subject" : "CN=enterprisedb, OU=DEV, O=EDB, L=Islamabad, ST=Federal, C=PK", "subject public key" : "RSA"} ] )

We are testing with self-signed certificate.

Can you please shed some light on what is the difference between DefaultJavaSSLFactory and LibPQFactory?
And when to use DefaultJavaSSLFactory instead of LibPQFactory?

For above testing, we are using older version of pgjdbc(42.2.18).

Thanks,

[davecramer]

@maffaan see https://jdbc.postgresql.org/documentation/ssl/
Specifically the section about

NOTE

If you are using Java’s default mechanism (not LibPQFactory) to create the SSL connection you will need to make the server certificate available to Java, the first step is to convert it to a form Java understands.```

[maffaan]

@davecramer yes using Java's default mechanism, I imported server certificate in der format into truststore but it was still giving error: FATAL: connection requires a valid client certificate

I was curious to know if LibPQFactory ignores two way ssl authentication and only considering server certificate authentication, as it was not complaining for any valid client certificate. On server side cert authentication method was configured in pg_hba.conf.

[davecramer]

LIBPQFactory does not ignore ssl auth if you use sslmode=verify-full