On Tue, Apr 30, 2024 at 2:41 PM Thomas Spear <speeddymon@gmail.com> wrote:
> The full details can be found at github.com/pgjdbc/pgjdbc/discussions/3236 - in summary, both jdbc-postgres and the
psqlcli seem to be affected by an issue validating the certificate chain up to a publicly trusted root certificate that
hascross-signed an intermediate certificate coming from a Postgres server in Azure, when using sslmode=verify-full and
tryingto rely on the default path for sslrootcert.
Hopefully someone more familiar with the Azure cross-signing setup
sees something obvious and chimes in, but in the meantime there are a
couple things I can think to ask:
1. Are you sure that the server is actually putting the cross-signed
intermediate in the chain it's serving to the client?
2. What version of OpenSSL? There used to be validation bugs with
alternate trust paths; hopefully you're not using any of those (I
think they're old as dirt), but it doesn't hurt to know.
3. Can you provide a sample public certificate chain that should
validate and doesn't?
Thanks,
--Jacob