Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-486

No SSL hostname verification on connect to MySQL 5.1.73



    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 2.0.2
    • 2.1.0
    • TLS
    • None


      Using Java 8 and MariaDB Connector/J 2.0.2-SNAPSHOT to connect to a MySQL 5.1.73 database using SSL does not appear to do hostname verification. This makes it vulnerable to a man-in-the-middle attack.

      To test this, I changed DNS resolution on the client machine where the Connector/J client is run to resolve db.example.com to the IP address of the real MySQL server host, which in this example I'll say is db.mycompany.com.

      The connection is created like this:

      try (Connection c = DriverManager.getConnection(url, user, new String(password))) {
        System.out.printf("Connection class:%n%s%n", c.getClass().getName());

      where url is this:


      When I run the Connector/J client, no exception is thrown to indicate that hostname verification failed. This should not be! An exception should be thrown because db.example.com does not match the db.mycompany.com that appears in the Subject field and the Subject Alternative Name field of the server certificate.

      The server certificate has been signed by a trusted CA (i.e., Entrust). The server certificate contains a Subject field containing CN=db.mycompany.com and a Subject Alternative Name field containing DNS:db.mycompany.com as reported by the following OpenSSL command:

      % openssl x509 -in ServerCertificate.crt -noout -text

      The mysql client program from MySQL 5.7.18 correctly fails the connection:

      % mysql --ssl-mode=VERIFY_IDENTITY --ssl-capath=/path/to/system/certs -u myuser -p -h db.example.com -P 3306 MYDB
      Enter password:
      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

      Since it's likely a pain to change DNS resolution on the client machine, I also tried to reproduce this problem, and succeeded, by forwarding port 3306 of the loopback device on the client machine to the real MySQL server host and connecting to port 3306. I did the port forwarding using SSH (which requires the ability to SSH into the MySQL server host):

      % ssh -L -N db.mycompany.com

      The Connector/J client happily connects and does not fail the connection with a url like this:


      The mysql client correctly fails the connection:

      % mysql --ssl-mode=VERIFY_IDENTITY --ssl-capath=/path/to/system/certs -u myuser -p -h -P 3306 MYDB
      Enter password:
      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure


        Issue Links



              diego dupin Diego Dupin
              jlmuir J. Lewis Muir
              0 Vote for this issue
              2 Start watching this issue



                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.