[CONJ-856] Unable to connect with mariadb from spring boot application in SSL mode Created: 2021-02-10  Updated: 2022-08-16  Resolved: 2022-08-16

Status: Closed
Project: MariaDB Connector/J
Component/s: SSL
Affects Version/s: None
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Vishal Biradar Assignee: Diego Dupin
Resolution: Not a Bug Votes: 0
Labels: None


 Description   

I have MariaDB deployed as a pod into the k8s cluster.
DB is enabled with SSL mode which will not allow users/clients to login to DB without certs. So we can not use a username and password to login to DB. We must use only the certificates to do so.

User creation statement:

CREATE USER 'test'@'%' REQUIRE X509;
 
GRANT ALL ON *.* TO 'test'@'%' WITH GRANT OPTION;
 
FLUSH PRIVILEGES;

So we are not using any password while creating user.

Login to DB: 

mysql -uroot --ssl-key=/keys/peer-key.pem --ssl-cert=/certificates/peer.pem --ssl-ca=/ca/cacerts.pem

So I tried enabling SSL mode on mariadb to the spring boot app side as shown below:

spring.datasource.url=jdbc:mariadb://IP:3306/myDB?useSSL=true&trustServerCertificate=true&serverSslCert=/certificates/peer.pem&disableSslHostnameVerification=true
 
spring.datasource.username=test
 
spring.datasource.password=
 
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver

But I am getting an error:

Current charset is UTF-8. If password has been set using other charset, consider using option 'passwordCharacterEncoding'

Versions:

mariadb: mysql  Ver 15.1 Distrib 10.4.12-MariaDB, for Linux (x86_64) using readline 5.1
 
mariadb-java-client: 2.7.2
 
spring boot: 2.3.4



 Comments   
Comment by Diego Dupin [ 2021-02-11 ]

There is some confusion there :
"REQUIRE X509" means that SSL mutual authentication is mandatory = SSL AND client authentication.

using client : 

mysql -uroot --ssl-key=/keys/peer-key.pem --ssl-cert=/certificates/peer.pem --ssl-ca=/ca/cacerts.pem

you indicate server certificates with 'ssl-cert' and 'ssl-ca', so SSL will be ok (hostname verification is not enabled by default with client) and ssl-key permit to indicate client private key file, to permit client authentication from server.
So that allright.

But for java : 

jdbc:mariadb://IP:3306/myDB?useSSL=true&trustServerCertificate=true&serverSslCert=/certificates/peer.pem&disableSslHostnameVerification=true

useSSL is ok, trustServerCertificate=true indicate to trust server certificates and disableSslHostnameVerification=true to , so that will permit to established encryption, but trusting server identity. serverSslCert information won't be used.
Problem is probably that :

  • there is no user set, so driver will use current user authenticated. that might be problematic
  • You don't indicate setting anything with keystore. client private key has to be configured in a keystore, without that only "REQUIRE SSL" user would work.

One way to do that is to use truststore and keystore, with simple connection string like : 

jdbc:mariadb://IP:3306/myDB?user=root&useSSL=true

And either adding server certificate to existing truststore, and client private key to existing keystore
or create dedicated truststore and keystore, and adding options `trustStore` and `keyStore` to corresponding path.
Those step can be done using keytool command.

Comment by Vishal Biradar [ 2021-02-11 ]

@Diego Dupin
MariaDB will be running in different pod, so we will not be having certs of that pod in the pod where the spring boot (client) is running.
So please let me know how can I connect to the DB and let me know the keytool command to do so.
Please help me with the example code I have been blocked since two days.
I have the certs of the spring boot app in pod.

Generated at Thu Feb 08 03:18:49 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.