Re: BUG #5245: Full Server Certificate Chain Not Sent to client

The following bug has been logged online:

Bug reference: 5245
Logged by: Brian Krug
Email address: bkrug(at)usatech(dot)com
PostgreSQL version: 8.4.1
Operating system: Solaris 10
Description: Full Server Certificate Chain Not Sent to client
Details:

I setup a postgres server with hostssl connections (in pg_hba.conf) and
clientcert=1 option. Then I setup a Java client to connect to it with the
postgres jdbc driver (version 8.4-701.jdbc4). I setup the server.key,
server.crt and root.crt files on the server. The server.crt file is a
certificate chain of 3 entries: the host-specific certificate followed by an
immediate CA certificate followed by our company's root CA certificate. I
put the root CA certificate into the truststore of the java client and I
enable full ssl debug logging in the java client with -Djavax.net.debug=ssl.
When I attempt a connection, my java client rejects the server's certificate
reporting "SunCertPathBuilderException: unable to find valid certification
path to requested target". When I look at the ssl debug logging, I realize
that the server has only sent the first certificate (it's own) and not the
full certificate chain.

On 15/12/09 23:35, Brian Krug wrote:
>
> The following bug has been logged online:
>
> Bug reference: 5245
> Logged by: Brian Krug
> Email address: bkrug(at)usatech(dot)com
> PostgreSQL version: 8.4.1
> Operating system: Solaris 10
> Description: Full Server Certificate Chain Not Sent to client
> Details:
>
> I setup a postgres server with hostssl connections (in pg_hba.conf) and
> clientcert=1 option. Then I setup a Java client to connect to it with the
> postgres jdbc driver (version 8.4-701.jdbc4). I setup the server.key,
> server.crt and root.crt files on the server. The server.crt file is a
> certificate chain of 3 entries: the host-specific certificate followed by an
> immediate CA certificate followed by our company's root CA certificate. I
> put the root CA certificate into the truststore of the java client and I
> enable full ssl debug logging in the java client with -Djavax.net.debug=ssl.
> When I attempt a connection, my java client rejects the server's certificate
> reporting "SunCertPathBuilderException: unable to find valid certification
> path to requested target". When I look at the ssl debug logging, I realize
> that the server has only sent the first certificate (it's own) and not the
> full certificate chain.

In another thread, Tom Lane wrote:

> I'm still a bit mystified about bug #5245 though. I can see two
> possible explanations for that one:
>
> 1. The reporter was wrong about which server version he was using;
> pre-8.4 servers would in fact not send the whole cert chain, cf
> http://archives.postgresql.org/pgsql-committers/2009-05/msg00195.php
>
> 2. The reporter was wrong about the actual cause of his problem, and
> despite his description, the true reason his Java client was failing
> was the lack of SSL_CTX_set_client_CA_list().
>
> Anyway, as far as I can tell the case described there works now.

Yep. I wasn't able to reproduce that issue in any configuration where Pg
had _some_ access to the required certs, via server.crt or root.crt .

Perhaps the original reporter can enlighten us; I've jumped to the
thread for #5245 for that purpose.

--
Craig Ringer