SSL connection issue with JDBC

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL connection issue with JDBC

Anupkumar Seth

Hi,

 

Details required:-

 

JDBC driver build number:- postgresql-9.1-903.jdbc4

 

Server version:- PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg16.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609, 64-bit

 

Exact error message and stacktrace:-

 

org.postgresql.util.PSQLException: The connection attempt failed.

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:150)

                at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)

                at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:123)

                at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:28)

                at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:20)

                at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)

                at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:22)

                at org.postgresql.Driver.makeConnection(Driver.java:391)

                at org.postgresql.Driver.connect(Driver.java:265)

                at java.sql.DriverManager.getConnection(DriverManager.java:675)

                at java.sql.DriverManager.getConnection(DriverManager.java:219)

                at com.utility.PostgresSSL.main(PostgresSSL.java:24)

Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.jsse2.j.a(j.java:12)

                at com.ibm.jsse2.as.a(as.java:118)

                at com.ibm.jsse2.C.a(C.java:193)

                at com.ibm.jsse2.C.a(C.java:245)

                at com.ibm.jsse2.D.a(D.java:242)

                at com.ibm.jsse2.D.a(D.java:56)

                at com.ibm.jsse2.C.r(C.java:69)

                at com.ibm.jsse2.C.a(C.java:580)

                at com.ibm.jsse2.as.a(as.java:512)

                at com.ibm.jsse2.as.i(as.java:969)

                at com.ibm.jsse2.as.a(as.java:176)

                at com.ibm.jsse2.h.write(h.java:36)

                at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:93)

                at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:151)

                at org.postgresql.core.PGStream.flush(PGStream.java:521)

                at org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFactoryImpl.java:257)

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:103)

                ... 11 more

Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.jsse2.util.f.a(f.java:35)

                at com.ibm.jsse2.util.f.b(f.java:96)

                at com.ibm.jsse2.util.e.a(e.java:19)

                at com.ibm.jsse2.aA.a(aA.java:132)

                at com.ibm.jsse2.aA.a(aA.java:39)

                at com.ibm.jsse2.aA.checkServerTrusted(aA.java:27)

                at com.ibm.jsse2.D.a(D.java:110)

                ... 23 more

Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)

                at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)

                at com.ibm.jsse2.util.f.a(f.java:49)

                ... 29 more

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)

                at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)

                ... 31 more

Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)

                at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)

                ... 36 more

 

 

What you were doing, ideally in code form:-

 

We are working on Connecting to Postgresql database via SSL through Java JDBC. We are not able to establish SSL connection, but non SSL connection is working. Postgresql SSL server has been set up at our end and if we connect to it using pgAdmin4 client we are able to connect to it via SSL but the same is not working in JAVA using JDBC.

 

In the jave program if we provide the connection string parameter ("sslfactory", "org.postgresql.ssl.NonValidatingFactory"), this property will ignore the certificate validation and connect via SSL, but we want to connect with passing certificates only.

 

If we try to run the program with certificates in the parameter we get error as posted above.

 

Code:-

 

String url = "jdbc:postgresql://<host>:5432/postgres";

                                Properties props = new Properties();

                                props.setProperty("user","postgres");

                                props.setProperty("password","temp4now");

                                props.setProperty("ssl","true");

                                props.setProperty("sslcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.crt");

                                props.setProperty("sslkey", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.key");

                                props.setProperty("sslrootcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\root.crt");

  Connection conn = DriverManager.getConnection(url, props);

 

 

 

If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

 

org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message

                at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)

                at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)

                at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)

                at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)

                at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)

                at org.postgresql.Driver.makeConnection(Driver.java:454)

                at org.postgresql.Driver.connect(Driver.java:256)

                at java.sql.DriverManager.getConnection(DriverManager.java:675)

                at java.sql.DriverManager.getConnection(DriverManager.java:219)

                at com.utility.PostgresSSL.main(PostgresSSL.java:23)

Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message

                at com.ibm.jsse2.j.a(j.java:35)

                at com.ibm.jsse2.j.a(j.java:31)

                at com.ibm.jsse2.as.b(as.java:806)

                at com.ibm.jsse2.as.a(as.java:102)

                at com.ibm.jsse2.as.i(as.java:969)

                at com.ibm.jsse2.as.a(as.java:680)

                at com.ibm.jsse2.as.startHandshake(as.java:859)

                at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)

                ... 10 more

 

 

 

 

I tried to search a lot but was not able to find the solution for this. Let me know which driver to use for this and if anything I am missing in this.

 

Thanks,

Anup

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
lup
Reply | Threaded
Open this post in threaded view
|

Re: SSL connection issue with JDBC

lup


On 5/14/19 6:35 AM, Anupkumar Seth wrote:

Hi,

 

Details required:-

 

JDBC driver build number:- postgresql-9.1-903.jdbc4

 

Server version:- PostgreSQL 11.2 (Ubuntu 11.2-1.pgdg16.04+1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609, 64-bit

 

Exact error message and stacktrace:-

 

org.postgresql.util.PSQLException: The connection attempt failed.

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:150)

                at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)

                at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:123)

                at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:28)

                at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:20)

                at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)

                at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:22)

                at org.postgresql.Driver.makeConnection(Driver.java:391)

                at org.postgresql.Driver.connect(Driver.java:265)

                at java.sql.DriverManager.getConnection(DriverManager.java:675)

                at java.sql.DriverManager.getConnection(DriverManager.java:219)

                at com.utility.PostgresSSL.main(PostgresSSL.java:24)

Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.jsse2.j.a(j.java:12)

                at com.ibm.jsse2.as.a(as.java:118)

                at com.ibm.jsse2.C.a(C.java:193)

                at com.ibm.jsse2.C.a(C.java:245)

                at com.ibm.jsse2.D.a(D.java:242)

                at com.ibm.jsse2.D.a(D.java:56)

                at com.ibm.jsse2.C.r(C.java:69)

                at com.ibm.jsse2.C.a(C.java:580)

                at com.ibm.jsse2.as.a(as.java:512)

                at com.ibm.jsse2.as.i(as.java:969)

                at com.ibm.jsse2.as.a(as.java:176)

                at com.ibm.jsse2.h.write(h.java:36)

                at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:93)

                at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:151)

                at org.postgresql.core.PGStream.flush(PGStream.java:521)

                at org.postgresql.core.v3.ConnectionFactoryImpl.sendStartupPacket(ConnectionFactoryImpl.java:257)

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:103)

                ... 11 more

Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.jsse2.util.f.a(f.java:35)

                at com.ibm.jsse2.util.f.b(f.java:96)

                at com.ibm.jsse2.util.e.a(e.java:19)

                at com.ibm.jsse2.aA.a(aA.java:132)

                at com.ibm.jsse2.aA.a(aA.java:39)

                at com.ibm.jsse2.aA.checkServerTrusted(aA.java:27)

                at com.ibm.jsse2.D.a(D.java:110)

                ... 23 more

Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:

                java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)

                at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)

                at com.ibm.jsse2.util.f.a(f.java:49)

                ... 29 more

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)

                at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)

                at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)

                ... 31 more

Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error

                at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)

                at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)

                ... 36 more

 

 

What you were doing, ideally in code form:-

 

We are working on Connecting to Postgresql database via SSL through Java JDBC. We are not able to establish SSL connection, but non SSL connection is working. Postgresql SSL server has been set up at our end and if we connect to it using pgAdmin4 client we are able to connect to it via SSL but the same is not working in JAVA using JDBC.

 

In the jave program if we provide the connection string parameter ("sslfactory", "org.postgresql.ssl.NonValidatingFactory"), this property will ignore the certificate validation and connect via SSL, but we want to connect with passing certificates only.

 

If we try to run the program with certificates in the parameter we get error as posted above.

 

Code:-

 

String url = "jdbc:postgresql://<host>:5432/postgres";

                                Properties props = new Properties();

                                props.setProperty("user","postgres");

                                props.setProperty("password","temp4now");

                                props.setProperty("ssl","true");

                                props.setProperty("sslcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.crt");

                                props.setProperty("sslkey", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\postgresql.key");

                                props.setProperty("sslrootcert", "C:\\Users\\user1\\Desktop\\postgresSsl\\client\\root.crt");

  Connection conn = DriverManager.getConnection(url, props);

 

 

 

If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

 

org.postgresql.util.PSQLException: SSL error: Received fatal alert: unexpected_message

                at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:42)

                at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:435)

                at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)

                at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)

                at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)

                at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)

                at org.postgresql.Driver.makeConnection(Driver.java:454)

                at org.postgresql.Driver.connect(Driver.java:256)

                at java.sql.DriverManager.getConnection(DriverManager.java:675)

                at java.sql.DriverManager.getConnection(DriverManager.java:219)

                at com.utility.PostgresSSL.main(PostgresSSL.java:23)

Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message

                at com.ibm.jsse2.j.a(j.java:35)

                at com.ibm.jsse2.j.a(j.java:31)

                at com.ibm.jsse2.as.b(as.java:806)

                at com.ibm.jsse2.as.a(as.java:102)

                at com.ibm.jsse2.as.i(as.java:969)

                at com.ibm.jsse2.as.a(as.java:680)

                at com.ibm.jsse2.as.startHandshake(as.java:859)

                at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)

                ... 10 more

 

 

 

 

I tried to search a lot but was not able to find the solution for this. Let me know which driver to use for this and if anything I am missing in this.

 

Thanks,

Anup

Update you jdbc driver to current release.

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
Reply | Threaded
Open this post in threaded view
|

Re: SSL connection issue with JDBC

David Wall
On 5/14/19 9:31 AM, Rob Sargent wrote:

If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

 Anup

Update you jdbc driver to current release.


Sounds like that was done.

Are you sure your SSL certs are recognized?  The original exception suggests an issue with trust along the chain:

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

That does seem an unexpected CN.  Both your java cacerts and postgres would have to share the CA certs needed to validate the full chain.

David

Reply | Threaded
Open this post in threaded view
|

Re: SSL connection issue with JDBC

Dave Cramer-8
One thing is the certs for java have to be in DER format.


  • Note: The key file must be in DER format. A PEM key can be converted to DER format using the openssl command:

    openssl pkcs8 -topk8 -inform PEM -in my.key -outform DER -out my.key.der



On Tue, 14 May 2019 at 13:07, David Wall <[hidden email]> wrote:
On 5/14/19 9:31 AM, Rob Sargent wrote:

If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

 Anup

Update you jdbc driver to current release.


Sounds like that was done.

Are you sure your SSL certs are recognized?  The original exception suggests an issue with trust along the chain:

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

That does seem an unexpected CN.  Both your java cacerts and postgres would have to share the CA certs needed to validate the full chain.

David

Reply | Threaded
Open this post in threaded view
|

RE: SSL connection issue with JDBC

Anupkumar Seth

Hi Dave,

 

It works now with DER format. Using below parameters now and “postgresql-42.2.5” driver.

 

String url1 = "jdbc:postgresql://<host>:5432/postgres?user=postgres"

                                                + "&password=<password>"

                                                + "&sslmode=verify-ca"

                                                + "&sslcert=<path>\postgresql.crt"

                                                + "&sslkey=<path>\my.key.der"

                                                + "&sslrootcert=<path>\root.crt";

 

 

Thanks,

Anup

 

From: Dave Cramer <[hidden email]>
Sent: Saturday, May 18, 2019 12:51 AM
To: David Wall <[hidden email]>
Cc: [hidden email]
Subject: Re: SSL connection issue with JDBC

 

One thing is the certs for java have to be in DER format.

 

 

  • Note: The key file must be in DER format. A PEM key can be converted to DER format using the openssl command:

openssl pkcs8 -topk8 -inform PEM -in my.key -outform DER -out my.key.der

  •  

 

 

 

On Tue, 14 May 2019 at 13:07, David Wall <[hidden email]> wrote:

On 5/14/19 9:31 AM, Rob Sargent wrote:



If I use latest JDBC postgrsql driver "postgresql-42.2.5" then I get below error.

 Anup

Update you jdbc driver to current release.

 

Sounds like that was done.

Are you sure your SSL certs are recognized?  The original exception suggests an issue with trust along the chain:

Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=certificate-authority is not trusted; internal cause is:

                java.security.cert.CertPathValidatorException: Certificate chaining error

That does seem an unexpected CN.  Both your java cacerts and postgres would have to share the CA certs needed to validate the full chain.

David