Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-1105

TLS certificate validation without needs to provide certificate client side

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 3.4.0
    • configuration
    • None

    Description

      In order to have SSL connections, there was 3 solutions:

      • Have server certificats generated with trusted node.js Certificate Authorities (CA) in java default truststore, like

        jdbc:mariadb://host/db?sslMode=verify-full
        

      • Configure connector with server certificate like:

        jdbc:mariadb://host/db?sslMode=verify-full&serverSslCert=...`

      • disable certificate ssl verification (not secured!) like:

        jdbc:mariadb://host/db?sslMode=trust`

      Since MariaDB 11.4.1 and MDEV-31855, connector doesn't need to have server certificate anymore, permitting simple configuration like even for certificate without CA present in truststore. more info on see https://mariadb.org/mission-impossible-zero-configuration-ssl/

      This permit easier client configuration but have a few limitations:

      • user must use a password
      • authentication use must be either mysql_native_password / client_ed25519

      Attachments

        Issue Links

          Activity

            This is how it works in C/C:

            • read the welcome packet
            • send the SSL request packet
            • start SSL, verify the certificate
            • if the certificate is bad:
              • if the error is not "self-signed certificate" — abort
              • if the connection method is MitM-proof (e.g. unix socket) — trust the certificate
              • if the user has not provided a password or auth plugin is not MitM-proof — abort
              • continue authentication and verify the cert at the end as in MDEV-31855
            serg Sergei Golubchik added a comment - This is how it works in C/C: read the welcome packet send the SSL request packet start SSL, verify the certificate if the certificate is bad: if the error is not "self-signed certificate" — abort if the connection method is MitM-proof (e.g. unix socket) — trust the certificate if the user has not provided a password or auth plugin is not MitM-proof — abort continue authentication and verify the cert at the end as in MDEV-31855

            People

              diego dupin Diego Dupin
              diego dupin Diego Dupin
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.