Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
2.0.2
-
None
Description
Using Java 8 and MariaDB Connector/J 2.0.2-SNAPSHOT to connect to a MySQL 5.1.73 database using SSL does not appear to do server certificate verification.
The connection is created like this:
try (Connection c = DriverManager.getConnection(url, user, new String(password))) { |
System.out.printf("Connection class:%n%s%n", c.getClass().getName()); |
}
|
where url is this (but with a different host name and DB name):
"jdbc:mariadb://db.example.com:3306/MYDB?useSSL=true" |
No exception is thrown. The default Java TrustStore has not been altered. A dedicated TrustStore has not been specified with the trustStore and trustStorePassword URL options. And the trustServerCertificate URL option has not been specified, so it should default to false, and an exception should be thrown according to the "One way SSL authentication" section of Using TLS/SSL with MariaDB Connector/J which says:
If the trustServerCertificate option is not set, an exception "unable to find valid certification path to requested target" will be thrown.
The server certificate has been signed by a trusted CA (i.e., Entrust). I don't think this matters, but I'm mentioning it just in case. It would be awesome if Connector/J could verify the server certificate without requiring a dedicated TrustStore (i.e., verify the certificate chain all the way to the root that exists in the default Java TrustStore), but the above referenced documentation does not say it can do this, so my understanding is that it cannot and hence cannot explain what's happening here.