Using Java 8 and MariaDB Connector/J 2.0.2-SNAPSHOT to connect to a MySQL 5.1.73 database using SSL does not appear to do hostname verification. This makes it vulnerable to a man-in-the-middle attack.
To test this, I changed DNS resolution on the client machine where the Connector/J client is run to resolve db.example.com to the IP address of the real MySQL server host, which in this example I'll say is db.mycompany.com.
The connection is created like this:
where url is this:
When I run the Connector/J client, no exception is thrown to indicate that hostname verification failed. This should not be! An exception should be thrown because db.example.com does not match the db.mycompany.com that appears in the Subject field and the Subject Alternative Name field of the server certificate.
The server certificate has been signed by a trusted CA (i.e., Entrust). The server certificate contains a Subject field containing CN=db.mycompany.com and a Subject Alternative Name field containing DNS:db.mycompany.com as reported by the following OpenSSL command:
The mysql client program from MySQL 5.7.18 correctly fails the connection:
Since it's likely a pain to change DNS resolution on the client machine, I also tried to reproduce this problem, and succeeded, by forwarding port 3306 of the loopback device on the client machine to the real MySQL server host and connecting to 127.0.0.1 port 3306. I did the port forwarding using SSH (which requires the ability to SSH into the MySQL server host):
The Connector/J client happily connects and does not fail the connection with a url like this:
The mysql client correctly fails the connection: