Re: [pgjdbc/pgjdbc] issue #3349: SSL connection is not established

pgjdbc/pgjdbc GitHub issues and pull requests (mirror)  
help / color / mirror / Atom feed

From: sehrope (@sehrope) <[email protected]>
To: pgjdbc/pgjdbc <[email protected]>
Subject: Re: [pgjdbc/pgjdbc] issue #3349: SSL connection is not established
Date: Fri, 09 May 2025 14:58:20 +0000
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

It works when the certificate is expired because the default TrustManager used to validate the certificate does not check the certificate expiration. It only checks if server's certificate matches or is signed by the `root.crt`.

This is due to the implementations of TrustManager not including that check in their default validation. That's part of the JDK classes, it's not specific to this driver, and . It's possible that could change in the future, but I doubt it will ever happen as it would break a lot of legacy applications.

The rationale for this is because once you've added a certificate to the trust store, it is assumed that you trust it. The trust store itself does not subsequently check if the certificate is expired or invalidated. That is supposed to happen at a higher level prior to creation of the trust store. For a long running application there's the additional complexity of the application "breaking" after it has been online.

We could consider adding such an "is expired" check to the PGJDBC driver's `LibPQFactory` (the default that performs most TLS validation) when it reads the certificates from `root.crt`, however I think it'd have to be optional / opt-in. Changing that default to reject expired certificates would definitely break existing application, in particular the legacy ones that would be more likely to have such expired certificates.

In the meantime if you want to ensure that expired certificates are rejected, you can create your own SSLSocketFactory that clones the behavior in `LibPQFactory` with the extra expiration check by invoking [`checkValidity()`](https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#checkValidity--) on each certificate before as it is [added to the list](https://github.com/pgjdbc/pgjdbc/blob/d9e20874590f59543c39a99b824e09344f00a813/pgjdbc/src/main/java/...).

view thread (31+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: github://pgjdbc/pgjdbc
  Cc: [email protected], [email protected]
  Subject: Re: [pgjdbc/pgjdbc] issue #3349: SSL connection is not established
  In-Reply-To: <<[email protected]>>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox