-
Notifications
You must be signed in to change notification settings - Fork 819
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error validating client certificate: PostgreSQL reports "ccs received early" error #1364
Comments
Yes, I've seen this before, now I have to recall how I fixed it. |
@Mrk-Nguyen try setting properties.setProperty(SSL_PASSWORD.getName(),""); |
Thanks for the response Dave. Adding:
into my Java code still gives me the same error. |
In my case it was failing to open the ssl keystore if thst helps |
I see, the certificates I created have no password. I'll try to add passwords and see if that's the issue. |
Mine didn't have password either, but the code needed something other than null for the password IIRC |
Well I created a new client certificate with an encrypted key and the |
I am facing this same problem, on slightly different software: Driver Version? Java Version? OS Version? PostgreSQL Version? OpenSSL Version? I am using similar SSL connection attributes, but with the addition of I have not found a work-around yet! |
hmmm ok, I'll spend some time on this. Can either one of you provide me a step by step how you are creating the certs/keys and I'll try to figure it out ? |
I think I found the problem, after stepping through the SSL code... the private key was not loading from an "invalid format" exception. My key was in PEM format. I converted it to DER format with
and then re-configured the connection to use the |
@msqr thanks for the update |
@msqr Confirmed it now works! Thanks for looking into this. @davecramer should the JDBC driver support PEM format as well? |
@Mrk-Nguyen pull requests are welcome. I'm ambivalent, although if either of you wanted to fix the docs so that nobody else wastes this much time I'd be grateful |
I'll submit a PR on docs this weekend to save everyone headaches. I'll see if I can submit a PR on supporting PEM format. |
Not sure if anyone will read it, but we've faced the same problem: our key was PEM-encoded and had to be converted to DER. Would be really nice if pgjdbc could read PEM files... |
my understanding is that this is a java problem? see https://stackoverflow.com/questions/11787571/how-to-read-pem-file-to-get-private-and-public-key |
Let me elaborate a bit. The problem comes from this line: If the file is in DER format, everything works, but if it's in PEM format, you'll get the Of course, it is quite simple to convert PEM to DER - that's what I've done. And this can be done both ways: statically (before launching of the application) and even dynamically (in the code). What I'm trying to say here is that it would be really nice if, whoever reads this file under the hood, could read it not only in DER format but in PEM format as well. That would allow as to avoid such conversion at all. |
PR's are more than welcome! |
Hello, guys, I have the same problem
Driver version? postgresql version? I tried setting it up |
@changetoblow are you able to connect with psql with these certs ? |
@davecramer Yes, I use psql command to verify the certificate, it is no problem. |
@davecramer I repeated yesterday's steps with the openssl command to do a certificate format conversion, this problem inexplicably solved.Thank you very much for your help. |
@changetoblow I think I know what your problem was. The documentation of the JDBC driver suggests the following command for the conversion: The former lacks the "nocrypt" option. Apparently, even without specifying a password during conversion, if you use the first command, the connection will fail. (Except if you specify the "sslpassword" option with an empty string value perhaps? I haven't tested that.) |
@pip25 I'm pretty sure I tested this. the sslpassword you are referring to is the password used to encrypt the der key ? |
@davecramer Yes, that one. It seems like giving an empty password during the conversion is not the same as disabling encryption from the command line (which makes sense I guess, but since many key/keystore/cert generation methods simply skip the password if you give an empty one, it's not necessarily what you'd expect). |
Care to provide some additional documentation ? SSL has always been
painful. Anything you can do to help would be appreciated
Dave Cramer
…On Wed, 4 Sep 2019 at 15:03, pip25 ***@***.***> wrote:
@davecramer <https://github.com/davecramer> Yes, that one. It seems like
giving an empty password during the conversion is not the same as disabling
encryption from the command line (which makes sense I guess, but since many
key/keystore/cert generation methods simply skip the password if you give
an empty one, it's not necessarily what you'd expect).
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1364?email_source=notifications&email_token=AADDH5SLXHNMZMFJCPH62M3QIAA77A5CNFSM4GI4N2W2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD54UC7A#issuecomment-528040316>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADDH5XT6Z6EQNQBD2FH6MDQIAA77ANCNFSM4GI4N2WQ>
.
|
@pip25 You're right. At first I didn't notice the difference between the two commands. The first time I used the commands suggested by the JDBC driver's documentation to convert them.It needs to specify a password. |
@davecramer I've been trying to test the other cases (empty password, normal password, both passed using "sslpassword") to clarify the docs, but it turns out none of these work for me, the error message "Received fatal alert: unexpected_message" appears in either case. Could someone else retest these as well? Currently, I'm not sure what I should be writing, other than "always use -nocrypt", which does not sound very encouraging in terms of security. |
Hi Guys, I am facing a similar problem. The connection with SSL using the following psql command works:
the line for the pgman user in pg_hba.conf is like the following:
The crt files are in PEM format. But for some reason, JDBC connection doesn't work. I tried various combinations of passing the certificate files in DER and PEM formats but I keep getting "FATAL: connection requires a valid client certificate" error. Here is my JDBC connection string:
Driver Version? PostgreSQL Version Java Version Now I am clueless about what to do next. Any hint will be much appreciated. |
In my case it was only the key that should have been in DER format: |
@dtitov Thanks for the reply. I tried that also once again just to be sure. Still no luck. |
https://github.com/pgjdbc/pgjdbc/blob/master/certdir/Makefile was just added to the repo. We are able to make this work in travis. |
Summary: I found that the SSL connection works with JDK 8 but not with Open JDK 11. JDK Verison (That works): openjdk version "1.8.0_242" JDK Version (That didn't work): openjdk version "11" 2018-09-25 Here are details of what I did: To confirm I changed the certificate generated by me with the certificates from the certdir of the pgjdbc repo. Then I tested it with JDK 11. It didn't work. So just to give it a try I recompiled my test program with JDK 8 and ran it. This time it worked! Then I changed the settings of PostgreSQL server to use my original certificates and tried to connect with JDK 8. It worked with JDK 8 this time too. Has any of you guys tried to use SSL connection with JDK 11 with Postgres? |
Checked this further. The SSL connection doesn't work till JDK version OpenJDK version 11.0.4. It starts working from OpenJDK version 11.0.5. Looks like there is some bug in SSL implementation in Open JDK 11 till version 11.0.4. I also tested it with the current version of Amazon Corretto 11. It also works. I hope this helps someone who stumbles on this post later. |
I'm using:
Everything works fine. Just FYI. |
@pritammobisoft thanks for the update! |
Hi everyone! I was wondering if you can help me with this. I ended up here because I'm struggling connecting Mulesoft and postgresql in GoogleCloud via JDBC.
Now, I'm having some challenges in trying to make it work in Mulesoft, basically I need to create a keystore JKS and import client-cert.pem and client-key.pem. I'm trying to do that with "Keystore Explorer" --> create JKS trustore, import key pair: I tried a lot of different formats, but nothing worked. Next step should to pass this truststore to JVM via command: -Djavax.net.ssl.trustStore=path_to_keystore_file (as mentioned in: https://help.mulesoft.com/s/question/0D52T00004mXW0MSAW/how-to-access-tls-enabled-mysql-database-using-database-connector) |
I eventually got this to work by:
It would be nice if someone could update the
Bonus points if someone could make The struggle continues, comrades. |
#1762 work for you? |
Oh you beat me to it: #1763. |
**I'm submitting a **
Describe the issue
I'm passing in a client certificate, client key, and certificate authorities using properties sslrootcert, sslcert, and sslkey in the JDBC driver and am receiving the SSL error:
could not accept SSL connection: ccs received early
This occurs at the client - Change Cipher Spec record during the SSL handshake.
Passing the same certificates into psql:
works. This means I know the certificates themselves are not the issue.
Driver Version?
42.2.5
Java Version?
Oracle JDK 1.8.0_191
OS Version?
Mac OS 10.13.6
PostgreSQL Version?
10.6
To Reproduce
pg_hba.conf
for hostssl:javax.net.ssl.SSLException: Received fatal alert: unexpected_message
gets thrown when running the Java program.Expected behaviour
The SSL handshake should complete successfully and application data gets transferred to the Java program.
And what actually happens:
Exception gets thrown:
javax.net.ssl.SSLException: Received fatal alert: unexpected_message
Logs
JDBC Driver Logs
PostGres Log
javax.net.debug = ssl:handshake Log
For brevity, I'm only including the step before
Client Change Cipher Spec
.Thanks.
The text was updated successfully, but these errors were encountered: