Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Not a Bug
-
None
-
None
Description
If you setup a Mariadb with the following tls configuration:
/etc/mysql/conf.d/tls.cnf
[mariadb]
|
ssl_ca=/tls/ca-cert.pem
|
ssl_cert=/tls/server-cert.pem
|
ssl_key=/tls/server-key.pem
|
require_secure_transport=ON
|
And you want to use a custom (Java) System trust-store like:
//System.setProperty("javax.net.ssl.trustStore", "./truststore.jks"); |
//System.setProperty("javax.net.ssl.trustStorePassword", "jkspw"); |
|
|
Properties connConfig = new Properties(); |
connConfig.setProperty("user", "root"); |
connConfig.setProperty("password", "rootpw"); |
connConfig.setProperty("sslMode", "verify-full"); |
|
|
|
|
|
|
try (Connection conn = DriverManager.getConnection("jdbc:mariadb://192.168.28.164:3306", connConfig)) { |
try (Statement stmt = conn.createStatement()) { |
try (ResultSet rs = stmt.executeQuery("SHOW VARIABLES LIKE 'have_ssl';")) { |
rs.first();
|
System.out.println(rs.getString(2)); |
}
|
}
|
}
|
The connection is successful, even if we do not trust the ca. During my debug session I found out that if we "fall back" to the System Truststore, the X509Trustmanager will be wrapped inside a "MariaDbX509EphemeralTrustingManager", that basically accept all Certificates.
Basically, this leads to the same behavior as "sslMode=trust", so the Db server just needs to provided any certificate.
Test with the j-Connector 3.4.1