[CONJ-485] No SSL certificate verification on connect to MySQL 5.1.73 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.2
Fix Version/s: N/A
Component/s: documentation
Labels:
None

Description

Using Java 8 and MariaDB Connector/J 2.0.2-SNAPSHOT to connect to a MySQL 5.1.73 database using SSL does not appear to do server certificate verification.

The connection is created like this:

try (Connection c = DriverManager.getConnection(url, user, new String(password))) {

  System.out.printf("Connection class:%n%s%n", c.getClass().getName());

where url is this (but with a different host name and DB name):

"jdbc:mariadb://db.example.com:3306/MYDB?useSSL=true"

No exception is thrown. The default Java TrustStore has not been altered. A dedicated TrustStore has not been specified with the trustStore and trustStorePassword URL options. And the trustServerCertificate URL option has not been specified, so it should default to false, and an exception should be thrown according to the "One way SSL authentication" section of Using TLS/SSL with MariaDB Connector/J which says:

If the trustServerCertificate option is not set, an exception "unable to find valid certification path to requested target" will be thrown.

The server certificate has been signed by a trusted CA (i.e., Entrust). I don't think this matters, but I'm mentioning it just in case. It would be awesome if Connector/J could verify the server certificate without requiring a dedicated TrustStore (i.e., verify the certificate chain all the way to the root that exists in the default Java TrustStore), but the above referenced documentation does not say it can do this, so my understanding is that it cannot and hence cannot explain what's happening here.

Attachments

Activity

Ascending order - Click to sort in descending order

Diego Dupin added a comment - 2017-06-01 19:43

In this case, this is normal : Entrust root certificates are already in java default trustore.
Driver already possesses the public key of the CA and consequently can verify the signature, trust the certificate and the public key in it.

This task must not be close : documentation Using TLS/SSL with MariaDB Connector/J must be improved :

have a better distinction of signed certificates (with description of chain of trust), and so which certificates must be known by client.
explanation of these default truststore that contain the widely recognized Certificate Authorities .

Diego Dupin added a comment - 2017-06-01 19:43 In this case, this is normal : Entrust root certificates are already in java default trustore. Driver already possesses the public key of the CA and consequently can verify the signature, trust the certificate and the public key in it. This task must not be close : documentation Using TLS/SSL with MariaDB Connector/J must be improved : have a better distinction of signed certificates (with description of chain of trust), and so which certificates must be known by client. explanation of these default truststore that contain the widely recognized Certificate Authorities .

Diego Dupin added a comment - 2017-11-21 08:29

documentation updated

Diego Dupin added a comment - 2017-11-21 08:29 documentation updated

People

Assignee:: Diego Dupin

Reporter:: J. Lewis Muir

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2017-06-01 17:13

Updated:: 2017-11-21 08:29

Resolved:: 2017-11-21 08:29

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.