Re: BUG #5245: Full Server Certificate Chain Not Sent to client
| От | Craig Ringer |
|---|---|
| Тема | Re: BUG #5245: Full Server Certificate Chain Not Sent to client |
| Дата | |
| Msg-id | 4BFDDF65.7080603@postnewspapers.com.au обсуждение исходный текст |
| Ответ на | BUG #5245: Full Server Certificate Chain Not Sent to client ("Brian Krug" <bkrug@usatech.com>) |
| Список | pgsql-bugs |
On 15/12/09 23:35, Brian Krug wrote: > > The following bug has been logged online: > > Bug reference: 5245 > Logged by: Brian Krug > Email address: bkrug@usatech.com > PostgreSQL version: 8.4.1 > Operating system: Solaris 10 > Description: Full Server Certificate Chain Not Sent to client > Details: > > I setup a postgres server with hostssl connections (in pg_hba.conf) and > clientcert=1 option. Then I setup a Java client to connect to it with the > postgres jdbc driver (version 8.4-701.jdbc4). I setup the server.key, > server.crt and root.crt files on the server. The server.crt file is a > certificate chain of 3 entries: the host-specific certificate followed by an > immediate CA certificate followed by our company's root CA certificate. I > put the root CA certificate into the truststore of the java client and I > enable full ssl debug logging in the java client with -Djavax.net.debug=ssl. > When I attempt a connection, my java client rejects the server's certificate > reporting "SunCertPathBuilderException: unable to find valid certification > path to requested target". When I look at the ssl debug logging, I realize > that the server has only sent the first certificate (it's own) and not the > full certificate chain. In another thread, Tom Lane wrote: > I'm still a bit mystified about bug #5245 though. I can see two > possible explanations for that one: > > 1. The reporter was wrong about which server version he was using; > pre-8.4 servers would in fact not send the whole cert chain, cf > http://archives.postgresql.org/pgsql-committers/2009-05/msg00195.php > > 2. The reporter was wrong about the actual cause of his problem, and > despite his description, the true reason his Java client was failing > was the lack of SSL_CTX_set_client_CA_list(). > > Anyway, as far as I can tell the case described there works now. Yep. I wasn't able to reproduce that issue in any configuration where Pg had _some_ access to the required certs, via server.crt or root.crt . Perhaps the original reporter can enlighten us; I've jumped to the thread for #5245 for that purpose. -- Craig Ringer
В списке pgsql-bugs по дате отправления: