MySQL Forums
Forum List  »  Connector/JDBC and Java

Re: Client cert required by Connector/J when server does not verify it?
Posted by: Filipe Silva
Date: June 02, 2017 08:23AM

Hi Lewis,

You don't need client certificates to use SSL support in Connector/J. Actually you don't need to use any certificates at all in the client side.

The documentation isn't complete regarding to this. If you wish you can file a Connector/J Documentation bug (https://bugs.mysql.com) so that you can track change/progress while we fix it.

So, for you to use SSL in Connector/J you just have to configure SSL on server, as long as you are using a not so old Connector/J version. I would recommend you to update to latest GA version if you haven't done yet, though.

Connector/J connects securely by default, as such you are not required to provide any client certificate (usually in a keystore) nor a CA certificate (usually in a truststore), but, in order to increase the security levels you may want to provide a truststore containing the CA certificate (system property 'javax.net.ssl.trustStore' or connection property 'trustCertificateKeyStoreUrl') which would used in conjunction with the connection property 'verifyServerCertificate', allowing the client to do an additional verification on the server certificate while establishing the connection, and/or you may want to provide client certificate/keys (system property 'javax.net.ssl.keyStore' or connection property 'clientCertificateKeyStoreUrl') in order to make the server do additional verifications on the client identity and security requirements (https://dev.mysql.com/doc/refman/5.7/en/create-user.html#create-user-tls).

You can find instructions and sample cases (in tests) on the Connector/J repository (https://github.com/mysql/mysql-connector-j/tree/release/5.1/src/testsuite/ssl-test-certs).

I hope this helps.

Options: ReplyQuote




Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.