Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-485

No SSL certificate verification on connect to MySQL 5.1.73

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.2
    • Fix Version/s: N/A
    • Component/s: documentation
    • Labels:
      None

      Description

      Using Java 8 and MariaDB Connector/J 2.0.2-SNAPSHOT to connect to a MySQL 5.1.73 database using SSL does not appear to do server certificate verification.

      The connection is created like this:

      try (Connection c = DriverManager.getConnection(url, user, new String(password))) {
        System.out.printf("Connection class:%n%s%n", c.getClass().getName());
      }
      

      where url is this (but with a different host name and DB name):

      "jdbc:mariadb://db.example.com:3306/MYDB?useSSL=true"
      

      No exception is thrown. The default Java TrustStore has not been altered. A dedicated TrustStore has not been specified with the trustStore and trustStorePassword URL options. And the trustServerCertificate URL option has not been specified, so it should default to false, and an exception should be thrown according to the "One way SSL authentication" section of Using TLS/SSL with MariaDB Connector/J which says:

      If the trustServerCertificate option is not set, an exception "unable to find valid certification path to requested target" will be thrown.

      The server certificate has been signed by a trusted CA (i.e., Entrust). I don't think this matters, but I'm mentioning it just in case. It would be awesome if Connector/J could verify the server certificate without requiring a dedicated TrustStore (i.e., verify the certificate chain all the way to the root that exists in the default Java TrustStore), but the above referenced documentation does not say it can do this, so my understanding is that it cannot and hence cannot explain what's happening here.

        Attachments

          Activity

            People

            Assignee:
            diego dupin Diego Dupin
            Reporter:
            jlmuir J. Lewis Muir
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.