Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-670

MariaDB java connector ability to Refresh SSL certificate

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.4.0, 1.8.0
    • Component/s: SSL
    • Labels:
      None

      Description

      We have some applications that run in a Cloudfoundry environment using the cloudfoundry java buildpack. In that environment, a security provider loads certificates from /etc/ssl/certs/ca-certificates.crt. When using mysql-connector-j, we find that CA certificates from this location are automatically trusted by our app and TLS connections are successfully established.

      However, when using the mariadb java connector, we always get an "unknown ca" error:

      2018-10-18T11:50:32.00-0500 [APP/PROC/WEB/0] OUT java.sql.SQLNonTransientConnectionException: Could not connect to q-n3s3y1.q-g651.bosh:3306 : Received fatal alert: unknown_ca
      2018-10-18T11:50:32.00-0500 [APP/PROC/WEB/0] OUT at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:234) ~[mariadb-java-client-2.3.0.jar!/:na]
      2018-10-18T11:50:32.00-0500 [APP/PROC/WEB/0] OUT at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:165) ~[mariadb-java-client-2.3.0.jar!/:na]
      

      It seems that the MariaDB java connector is not finding the CA certificates loaded by the security provider and this does not affect mysql-connector-j.

      After some experimentation, we found that we could work around this problem by hardcoding the CA certificates location in our jdbcURL via the serverSslCert=/etc/ssl/certs/ca-certificates.crt (or similar). However, we would much prefer that the CA certificate is automatically trusted via the Cloudfoundry java buildpack's security provider rather than explicitly twiddling our jdbcURLs.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                diego dupin Diego Dupin
                Reporter:
                andrew.garner Andrew Garner
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: