> Asia <asia123321@op.pl> writes:
> > I would expect to have only one top-level CA cert in server's and client's root.crt and it was not possible to
configurewith 2-level intermediate CA.
>
> This seems a little confused, since in your previous message you stated
> that libpq worked correctly and JDBC did not, and now you seem to be
> saying the opposite.
>
> As far as libpq goes, I would expect it to function correctly in 9.0 and
> up (and it did function correctly, last I tested it). Previous releases
> will not do this nicely, for lack of this patch:
> http://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=4ed4b6c54
>
> regards, tom lane
>
I apologise then, it seems I was not clear enough when explaining my issue.
I am using PostgreSQL, version 9.0.
I have all of it (libpq and jdbc) working, however I have some doubts about the correctness of my configuration.
The situation is more or less like following:
Client intermediate CA (root.crt): C1 -> C2, Client cert: C1 -> C2 ->C3
Server intermediate CA (root.crt): C1 -> S1, Server Cert: C1 -> S1 -> S2
I always use clientcert=1 in pg_hba to force mutual SSL.
Now with the above configuration libpq connects fine. But when I tried to use jdbc it requires me to append client's
intermediateCA - "C1 -> C2"
to server's root.crt. So server's root.crt content looks like follows:
C1 -> S1 -> C1 -> C2
Then jdbc conenction works fine and the change does not affect libpq - it works fine like before.
So my point was general why the behavior for libpq and jdbc driver is not common (probably we would need some custom
implementationof Java SSL facory
for PostgreSQL) - both types of connection have different cert configuration what I believe could be better when it was
common.
And the second issue is that you wrote that it should be enough to put to-level CA certs. So I left only C1 in server's
root.crt,restarted server
and received following error during connection:
SSL error: certificate verify failed
The question is how to do it correctly?
Please advise.
Kind regards,
Joanna