Message-ID: From: "sehrope (@sehrope)" To: "pgjdbc/pgjdbc" Date: Sun, 22 Feb 2026 16:40:46 +0000 Subject: Re: [pgjdbc/pgjdbc] issue #3942: File extension-based format detection breaks DER keys with .key suffix In-Reply-To: References: List-Id: X-GitHub-Author-Login: sehrope X-GitHub-Comment-Id: 3941341519 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 3942 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/issues/3942#issuecomment-3941341519 Content-Type: text/plain; charset=utf-8 Yes this is a regression. Thanks for the report. I believe the intention of LibPQFactory is to match the default behavior of libpq whenever possible. It's a bit different here (even before the PEM support PR) as historically we support Java's native key stores for certs. In libpq they try loading the key twice and only report the second error: https://github.com/postgres/postgres/blob/412f78c66eedbe9cf41a657f4566d86a69ab7af2/src/interfaces/libpq/fe-secure-openssl.c#L1276-L1302 That works fine for the happy path where the key can be read correctly in some manner. But might give a not so great error if it's really the first type that's tried. Probably fine though as it does not stop you from being able to connect when you otherwise could (just the error message is not that helpful). I think we need to do something similar here as well. Maybe we also offer a separate driver option to instruct how to pick (e.g, default of "auto" that tries all options, but explicit "PEM" etc to force only one attempt at the known type). I don't like any of the file extension based checks. I think we might be able to remove them with the "auto" option as the change would only be in the possible not-so-great error message if it fails. Be simpler than trying to handle file extensions and an entire separate code path. @davecramer @vlsi Thoughts?