MySQL Forums
Forum List  »  Connector/JDBC and Java

Re: Client cert required by Connector/J when server does not verify it?
Posted by: J. Lewis Muir
Date: June 02, 2017 02:03PM

Hello, Filipe!

> You don't need client certificates to use SSL support in Connector/J. Actually you don't need to use any certificates at all in the client side.

OK, great!

> The documentation isn't complete regarding to this. If you wish you can file a Connector/J Documentation bug (https://bugs.mysql.com) so that you can track change/progress while we fix it.

OK, I filed

http://bugs.mysql.com/86564

> Connector/J connects securely by default, as such you are not required to provide any client certificate (usually in a keystore) nor a CA certificate (usually in a truststore), but, in order to increase the security levels you may want to provide a truststore containing the CA certificate (system property 'javax.net.ssl.trustStore' or connection property 'trustCertificateKeyStoreUrl') which would used in conjunction with the connection property 'verifyServerCertificate', allowing the client to do an additional verification on the server certificate while establishing the connection

What do you mean by, "in order to increase the security levels you may want to provide a truststore containing the CA certificate?" Why would doing that make the connection any more secure?

What I want is an SSL connection method like a web browser uses: I want Connector/J to verify the server certificate chain all the way up to the CA root that already exists in the default Java TrustStore shipped with the JDK/JRE, and I want Connector/J to do hostname verification on the certificate presented by the server to protect against a man-in-the-middle attack. Those are the two things necessary for a secure connection. If Connector/J does not do hostname verification, then the SSL connection is not secure in my book.

> You can find instructions and sample cases (in tests) on the Connector/J repository (https://github.com/mysql/mysql-connector-j/tree/release/5.1/src/testsuite/ssl-test-certs).

Hmm, I'm not sure I found what you're referring to. I see SSLTest:

https://github.com/mysql/mysql-connector-j/tree/release/5.1/src/testsuite/simple/SSLTest.java

but there's not much there.

And I see ConnectionRegressionTest.testBug20685022:

https://github.com/mysql/mysql-connector-j/tree/release/5.1/src/testsuite/regression/jdbc4/ConnectionRegressionTest.java

which has three cases:

1. "non verifying server certificate"
2. "verifying server certificate using key store provided by connection properties"
3. "verifying server certificate using key store provided by system properties"

I don't see a case for verifying a server certificate that has been signed by a trusted CA with no TrustStore being provided and also performing hostname verification.

> I hope this helps.

It does! Thank you for your reply!

Options: ReplyQuote




Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.