SSL certificate error when connecting to PostgreSQL database with Oracle SQL Developer on Fedora 30

I have a postgresql 9.3 database running in a RHEL 6.2 kvm virtual machine. It's part of the application I support for work, and I cannot make any configuration changes to the contents of the VM itself. In production it would be deployed to bare metal, this vm is just for my own testing needs. On my Windows work computer, I can successfully connect to the database on a similar vm using SQL Developer.

I have confirmed that I can successfully connect to the database from the vm host via psql on command line. selinux has been disabled temporarily on the vm for testing purposes.

After installing SQL Developer, openjdk, openjfx, and passing the path of my openjdk installation as requested by SQL Developer, loading the postgresql JDBC driver, and attempting to connect to the database, I get this error:

Status : Failure -SSL error: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints

I'm kind of at a loss as to how to get around this. I'm not a java developer and I don't really know how to correct this. After much Googling for similar errors the the best solution I could come up with was to add the following to /opt/sqldeveloper/sqldeveloper/bin/sqldeveloper.conf, which did not fix the problem or change the error:

AddVMOption -Djdk.certpath.disabledAlgorithms=MD2

I suspect this is still the right direction, but I don't know what should go in place of MD2, or if this is really even the correct solution.

Running openssl s_client -connect 192.168.122.63:5432 returns the following:

    [user@hostname ~]$ openssl s_client -connect 192.168.122.63:5432
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 303 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

How do I get around this?

Kefka

Posted 2019-10-18T08:18:34.420

Reputation: 951

Would be helpful to share the certificate here. Knowing how the cert is built may shine a light on this. Especially of use would be: signature algorithm but if you dump the whole thing that might save some back and forth here. – Ram – 2019-12-28T22:59:39.733

@Ram I wouldn't know where to look to even find it. That goes a little beyond my normal work - is there some standard place I would find it, or is it totally dependent on whoever built it in the first place? – Kefka – 2019-12-30T16:03:59.210

openssl s_client -connect host:port will print out the certs. Find the BEGIN and END CERTIFICATE stuff and copy and paste the cert into a file.crt. Then run openssl x509 -in file.crt -text -noout and you will see the thing parsed out into something a bit more readable. Add the output to your question so we can hopefully see what's up. – Ram – 2019-12-30T18:57:49.270

@Ram Sorry for the delay. I've added the requested output, which seems to show no certificates at all, assuming I ran the command correctly. 192.168.122.63 being the ip of the db vm, and 5432 being the port the database is listening on. – Kefka – 2019-12-31T17:04:52.470

Answers

The line you add is usually located in java.security file. But what you need to do is to remove this line from java.security file. Or if you have additional disabled algorithms remove MD2 and keep the rest. If you have something like:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

make it

jdk.certpath.disabledAlgorithms=RSA keySize < 1024

You can check this answer for more details.

Romeo Ninov

Posted 2019-10-18T08:18:34.420

Reputation: 2 062

When doing that, and in fact even when commenting out jdk.certpath.disabledAlgorithms altogether, I still get the same error – Kefka – 2019-12-26T21:34:22.610

Did you do it in java.security file? – Romeo Ninov – 2019-12-27T05:54:17.427

Yes. I started by using find to locate it, find / -name java.security -type f, and that returned only one java.security file (in case you wondered if there might be multiples and I did the wrong one). I closed SQL Developer, made the edit to that line (and commented it out on second try), and started it again and got the same error. As a test I also removed the file altogether to see if it affected anything, and I got a different error in SQL Developer after doing that, so I know changes to the file are impacting SQL Developer. – Kefka – 2019-12-27T15:24:47.997

Looks like your client thinks the connection should be encrypted but your server isn't doing that. Either turn on encryption in whatever is running SSL for postgresql or disable the requirement for encryption in your Java environment.

Ram

Posted 2019-10-18T08:18:34.420

Reputation: 977

Unfortunately I'm not finding any way to do this, but since the bounty period is almost over I'm going ahead and giving it to you because this at least feels like the right direction. Thanks – Kefka – 2020-01-01T00:13:14.157

Take a look here https://www.postgresql.org/docs/9.1/ssl-tcp.html ... you are probably doing this "Note: It is possible to have authentication without encryption overhead by using NULL-SHA or NULL-MD5 ciphers. However, a man-in-the-middle could read and pass communications between client and server. Also, encryption overhead is minimal compared to the overhead of authentication. For these reasons NULL ciphers are not recommended." I think you probably cannot change your PostgreSQL server but you should tell the admin it's not configured well.

– Ram – 2020-01-01T17:50:03.920

In any case checkout this page to work this client side https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites ... your server is using "NULL" cipher so you have to enable one of these (bad idea!) in jdk.tls.client.protocols .

– Ram – 2020-01-01T17:51:09.823