Re: [pgjdbc/pgjdbc] issue #3349: SSL connection is not established

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: Shalaka1197 (@Shalaka1197) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: Re: [pgjdbc/pgjdbc] issue #3349: SSL connection is not established
Date: Thu, 29 Aug 2024 03:59:24 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

@davecramer Please see below use case of mine.
I am trying to connect with the postgres via one way tls protocol(only root.crt file verified).
so from postgres server side we have configured the server.crt file and root.crt file and its path is given under the postgresql.conf file.
Now I am trying to connect to server application via root.crt file from client application. The below is code snippet.
`
SSL =true ;
SSL_MODE= verify-ca;
SSL_RESPONSE_TIMEOUT =5000;
SSL_ROOT_CERT = /tmp/server.crt
`
for ssl root cert parameter we are passing server.crt as it is giving the issues when I passed root.crt file. It is able to connect via client application as well using server.crt file. 
Now for negative test case scenario, I have created server.crt file with 1 day expiry and passed the same file in ssl_root_cert parameter , after one day the certificate is expired for server.crt file .
From psql command part below is the error we got.
**PSQL error for expired server.crt file -   certificate verification failed.
java application - its able to connect via  expired server.crt file**

Now I am given root.crt file for ssl_root_cert parameter and got the below error.
`
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri Aug 23 11:44:37 UTC 2024,  at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
,  at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:627)
,  at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
,  at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
`

Now please tell me why server.crt file is able to connect via postgres even its certificate is expired ?
root.crt file is giving error and server.crt file also should throw the same error right ?

view thread (31+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] issue #3349: SSL connection is not established
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox