Recently I have been working on implementation of mutual SSL authentication between our application and PostgreSQL
database.
I managed to make it work wih "ssl=true" connection option and "clientcert=1" flags in pg_hba.conf. Moreover I managed
tomake it work with C++ application using libpq and Java application using postgresql JDBC driver.
The only concern I have is some discrepancy between the way libpq and JDBC works. It seems that libpq is less
restrictivethan JDBC with standard
built-in SSLSocketFactory.
The following schema describes some information about my certs:
Client Server
postgresql.crt server.crt
postgresql.key server.key
root.crt root.crt
where postgresql.crt is singed by Intermediate CA 1
server.crt is signed by Intermediate CA 2
Intermediate CA 1 and Intermediate CA 2 are chain certs both singed by the same root certificate
root.crt - root certificate that signed Intermediate CA1 and Intermediate CA 2 (which was enough for libpq but
notenough for JDBC)
Now the issue is then when using libpq it was enough to have only root certificate in server's root.crt and it worked
fine.
But when I tried using the same with JDBC it turned out that I need to put whole chain (2 certs) of Intermediate CA 1
inserver's root.crt.
All I need is the confirmation whether this is working as designed or this is possibly libpq bug?
Kind Regards,
Joanna