Re: TLS certificate alternate trust paths issue in libpq - certificate chain validation failing
| От | Jacob Champion |
|---|---|
| Тема | Re: TLS certificate alternate trust paths issue in libpq - certificate chain validation failing |
| Дата | |
| Msg-id | CAOYmi+mXOv1XwAhwf_WCd+_4F8q_F_0dN=_CBfT6zi6QhTigtg@mail.gmail.com обсуждение исходный текст |
| Ответ на | TLS certificate alternate trust paths issue in libpq - certificate chain validation failing (Thomas Spear <speeddymon@gmail.com>) |
| Список | pgsql-hackers |
On Tue, Apr 30, 2024 at 2:41 PM Thomas Spear <speeddymon@gmail.com> wrote: > The full details can be found at github.com/pgjdbc/pgjdbc/discussions/3236 - in summary, both jdbc-postgres and the psqlcli seem to be affected by an issue validating the certificate chain up to a publicly trusted root certificate that hascross-signed an intermediate certificate coming from a Postgres server in Azure, when using sslmode=verify-full and tryingto rely on the default path for sslrootcert. Hopefully someone more familiar with the Azure cross-signing setup sees something obvious and chimes in, but in the meantime there are a couple things I can think to ask: 1. Are you sure that the server is actually putting the cross-signed intermediate in the chain it's serving to the client? 2. What version of OpenSSL? There used to be validation bugs with alternate trust paths; hopefully you're not using any of those (I think they're old as dirt), but it doesn't hurt to know. 3. Can you provide a sample public certificate chain that should validate and doesn't? Thanks, --Jacob
В списке pgsql-hackers по дате отправления: