Message-ID: From: "sehrope (@sehrope)" To: "pgjdbc/pgjdbc" Date: Fri, 09 May 2025 14:58:20 +0000 Subject: Re: [pgjdbc/pgjdbc] issue #3349: SSL connection is not established In-Reply-To: References: List-Id: X-GitHub-Author-Login: sehrope X-GitHub-Comment-Id: 2866881674 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 3349 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/issues/3349#issuecomment-2866881674 Content-Type: text/plain; charset=utf-8 It works when the certificate is expired because the default TrustManager used to validate the certificate does not check the certificate expiration. It only checks if server's certificate matches or is signed by the `root.crt`. This is due to the implementations of TrustManager not including that check in their default validation. That's part of the JDK classes, it's not specific to this driver, and . It's possible that could change in the future, but I doubt it will ever happen as it would break a lot of legacy applications. The rationale for this is because once you've added a certificate to the trust store, it is assumed that you trust it. The trust store itself does not subsequently check if the certificate is expired or invalidated. That is supposed to happen at a higher level prior to creation of the trust store. For a long running application there's the additional complexity of the application "breaking" after it has been online. We could consider adding such an "is expired" check to the PGJDBC driver's `LibPQFactory` (the default that performs most TLS validation) when it reads the certificates from `root.crt`, however I think it'd have to be optional / opt-in. Changing that default to reject expired certificates would definitely break existing application, in particular the legacy ones that would be more likely to have such expired certificates. In the meantime if you want to ensure that expired certificates are rejected, you can create your own SSLSocketFactory that clones the behavior in `LibPQFactory` with the extra expiration check by invoking [`checkValidity()`](https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#checkValidity--) on each certificate before as it is [added to the list](https://github.com/pgjdbc/pgjdbc/blob/d9e20874590f59543c39a99b824e09344f00a813/pgjdbc/src/main/java/org/postgresql/ssl/LibPQFactory.java#L161).