Lists: | pgsql-jdbc |
---|
From: | Vic Simkus <vsimkus(at)uic(dot)edu> |
---|---|
To: | pgsql-jdbc(at)postgresql(dot)org |
Subject: | (yet another) SSL connection problem |
Date: | 2008-08-07 19:25:29 |
Message-ID: | 489B4C29.3060701@uic.edu |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-jdbc |
Hello
I'm having trouble connecting to a server via SSL using the JDBC
driver. I'm able to connect to the server using pgadmin and psql, so
the problem seems to be rooted in Java.
We have our own local, private CA here that we use for things just like
this. I generated a key and cert request using key tool and then signed
the request. I also added the CA cert to the key store. After all that
the key store looks like this:
pgsql, Aug 7, 2008, keyEntry,
Certificate fingerprint (MD5):
FA:4A:DB:E1:A6:14:C1:52:48:DB:AA:53:B0:65:88:BF
local_ca, Aug 7, 2008, trustedCertEntry,
Certificate fingerprint (MD5):
BD:4C:AE:FC:5B:75:A1:50:93:C8:AB:5D:76:80:30:04
When I try to connect the connection fails with the an exception that is
at the end of the email. The server log shows:
2008-08-07 14:17:12 CDT LOG: 08P01: could not accept SSL connection:
peer did not return a certificate
2008-08-07 14:17:12 CDT LOCATION: open_server_SSL, be-secure.c:902
For fun, I cloned the "pgsql" keyEntry and named the clone "mykey". I
also imported the server cert....
mykey, Aug 7, 2008, keyEntry,
Certificate fingerprint (MD5):
FA:4A:DB:E1:A6:14:C1:52:48:DB:AA:53:B0:65:88:BF
pgsql, Aug 7, 2008, keyEntry,
Certificate fingerprint (MD5):
FA:4A:DB:E1:A6:14:C1:52:48:DB:AA:53:B0:65:88:BF
local_ca, Aug 7, 2008, trustedCertEntry,
Certificate fingerprint (MD5):
BD:4C:AE:FC:5B:75:A1:50:93:C8:AB:5D:76:80:30:04
dbdev-server-cert, Aug 7, 2008, trustedCertEntry,
Certificate fingerprint (MD5):
EE:C5:F8:EA:72:0F:5C:D7:8A:F4:38:6F:8C:CD:6C:54
Same problem persists. I'm running postgres 8.2.6, Java 1.5.0_13, and
the JDBC driver postgresql-8.3-603.jdbc3.jar
Any help would be appreciated.
Thanks
Vic
Exception listing:
[14:17:12.817] Caused by: org.postgresql.util.PSQLException: The
connection attempt failed.
[14:17:12.817] at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:137)
[14:17:12.817] at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)
[14:17:12.817] at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:124)
[14:17:12.817] at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)
[14:17:12.817] at
org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
[14:17:12.817] at org.postgresql.Driver.makeConnection(Driver.java:386)
[14:17:12.817] at org.postgresql.Driver.connect(Driver.java:260)
[14:17:12.817] at
java.sql.DriverManager.getConnection(DriverManager.java:525)
[14:17:12.817] at
java.sql.DriverManager.getConnection(DriverManager.java:171)
[14:17:12.817] at
org.postgresql.ds.common.BaseDataSource.getConnection(BaseDataSource.java:83)
[14:17:12.817] at
org.postgresql.ds.PGConnectionPoolDataSource.getPooledConnection(PGConnectionPoolDataSource.java:72)
[14:17:12.817] at
com.caucho.sql.DriverConfig.createPooledConnection(DriverConfig.java:586)
[14:17:12.817] at
com.caucho.sql.ManagedConnectionImpl.initDriverConnection(ManagedConnectionImpl.java:245)
[14:17:12.817] at
com.caucho.sql.ManagedConnectionImpl.<init>(ManagedConnectionImpl.java:141)
[14:17:12.817] at
com.caucho.sql.ManagedFactoryImpl.createManagedConnection(ManagedFactoryImpl.java:139)
[14:17:12.817] at
com.caucho.jca.ConnectionPool.create(ConnectionPool.java:926)
[14:17:12.817] at
com.caucho.jca.ConnectionPool.allocatePool(ConnectionPool.java:795)
[14:17:12.817] at
com.caucho.jca.ConnectionPool.allocate(ConnectionPool.java:756)
[14:17:12.817] at
com.caucho.jca.ConnectionPool.allocateConnection(ConnectionPool.java:567)
[14:17:12.817] at
com.caucho.sql.DataSourceImpl.getConnection(DataSourceImpl.java:65)
[14:17:12.817] at com.caucho.sql.DBPool.getConnection(DBPool.java:701)
[14:17:12.817] at
org.hibernate.connection.DatasourceConnectionProvider.getConnection(DatasourceConnectionProvider.java:69)
[14:17:12.817] at
org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:423)
[14:17:12.817] ... 41 more
[14:17:12.817] Caused by: javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:117)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1584)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:866)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1366)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:590)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:698)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:624)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
[14:17:12.817] at
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
[14:17:12.817] at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
[14:17:12.817] at
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
[14:17:12.817] at org.postgresql.core.PGStream.flush(PGStream.java:508)
[14:17:12.817] at
org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFactoryImpl.java:244)
[14:17:12.817] at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:92)
[14:17:12.817] ... 63 more
--
Vic Simkus
Department of Neurology, UIC
912 South Wood St.
Room 855N
Chicago IL 60612
From: | Kris Jurka <books(at)ejurka(dot)com> |
---|---|
To: | Vic Simkus <vsimkus(at)uic(dot)edu> |
Cc: | pgsql-jdbc(at)postgresql(dot)org |
Subject: | Re: (yet another) SSL connection problem |
Date: | 2008-08-07 19:33:37 |
Message-ID: | Pine.BSO.4.64.0808071530410.8854@leary.csoft.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-jdbc |
On Thu, 7 Aug 2008, Vic Simkus wrote:
> 2008-08-07 14:17:12 CDT LOG: 08P01: could not accept SSL connection:
> peer did not return a certificate
>
The JDBC driver currently does not support client certificates. This
patch claims to, but I have not looked at it.
http://archives.postgresql.org/pgsql-jdbc/2006-02/msg00166.php
Kris Jurka
From: | Vic Simkus <vsimkus(at)uic(dot)edu> |
---|---|
To: | Kris Jurka <books(at)ejurka(dot)com> |
Cc: | pgsql-jdbc(at)postgresql(dot)org |
Subject: | Re: (yet another) SSL connection problem |
Date: | 2008-08-07 19:46:20 |
Message-ID: | 489B510C.1080405@uic.edu |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-jdbc |
Thanks for the tip, Kris. Any idea when this capability will be added
into a 'supported' release? Also, perhaps this should be added to the
documentation or a faq so that another poor sucker like me doesn't end
up pulling his hair out :)
Kris Jurka wrote:
>
>
> On Thu, 7 Aug 2008, Vic Simkus wrote:
>
>> 2008-08-07 14:17:12 CDT LOG: 08P01: could not accept SSL connection:
>> peer did not return a certificate
>>
>
> The JDBC driver currently does not support client certificates. This
> patch claims to, but I have not looked at it.
>
> http://archives.postgresql.org/pgsql-jdbc/2006-02/msg00166.php
>
> Kris Jurka
>
--
Vic Simkus
Department of Neurology, UIC
912 South Wood St.
Room 855N
Chicago IL 60612