Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-486

No SSL hostname verification on connect to MySQL 5.1.73

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 2.0.2
    • 2.1.0
    • TLS
    • None

    Description

      Using Java 8 and MariaDB Connector/J 2.0.2-SNAPSHOT to connect to a MySQL 5.1.73 database using SSL does not appear to do hostname verification. This makes it vulnerable to a man-in-the-middle attack.

      To test this, I changed DNS resolution on the client machine where the Connector/J client is run to resolve db.example.com to the IP address of the real MySQL server host, which in this example I'll say is db.mycompany.com.

      The connection is created like this:

      try (Connection c = DriverManager.getConnection(url, user, new String(password))) {
        System.out.printf("Connection class:%n%s%n", c.getClass().getName());
      }
      

      where url is this:

      "jdbc:mariadb://db.example.com:3306/MYDB?useSSL=true"
      

      When I run the Connector/J client, no exception is thrown to indicate that hostname verification failed. This should not be! An exception should be thrown because db.example.com does not match the db.mycompany.com that appears in the Subject field and the Subject Alternative Name field of the server certificate.

      The server certificate has been signed by a trusted CA (i.e., Entrust). The server certificate contains a Subject field containing CN=db.mycompany.com and a Subject Alternative Name field containing DNS:db.mycompany.com as reported by the following OpenSSL command:

      % openssl x509 -in ServerCertificate.crt -noout -text
      

      The mysql client program from MySQL 5.7.18 correctly fails the connection:

      % mysql --ssl-mode=VERIFY_IDENTITY --ssl-capath=/path/to/system/certs -u myuser -p -h db.example.com -P 3306 MYDB
      Enter password:
      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
      

      Since it's likely a pain to change DNS resolution on the client machine, I also tried to reproduce this problem, and succeeded, by forwarding port 3306 of the loopback device on the client machine to the real MySQL server host and connecting to 127.0.0.1 port 3306. I did the port forwarding using SSH (which requires the ability to SSH into the MySQL server host):

      % ssh -L 127.0.0.1:3306:db.mycompany.com:3306 -N db.mycompany.com
      

      The Connector/J client happily connects and does not fail the connection with a url like this:

      "jdbc:mariadb://127.0.0.1:3306/MYDB?useSSL=true"
      

      The mysql client correctly fails the connection:

      % mysql --ssl-mode=VERIFY_IDENTITY --ssl-capath=/path/to/system/certs -u myuser -p -h 127.0.0.1 -P 3306 MYDB
      Enter password:
      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
      

      Attachments

        Issue Links

          Activity

            People

              diego dupin Diego Dupin
              jlmuir J. Lewis Muir
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.