Re: Client cert required by Connector/J when server does not verify it?
Posted by: Filipe Silva
Date: June 07, 2017 09:09PM

Hi Lewis,

> What do you mean by, "in order to increase the security levels you may want to provide a truststore containing the CA certificate?" Why would doing that make the connection any more secure?

I'm thinking of the most common use case which is a setup that uses self-signed certificates. Usually the MySQL server stands in the same private network as the mid application layer where the driver is running, so, it is more frequent to manage keys and certificates internally than have them signed by some official certificate authority.

> What I want is an SSL connection method like a web browser uses: I want Connector/J to verify the server certificate chain all the way up to the CA root that already exists in the default Java TrustStore shipped with the JDK/JRE, and I want Connector/J to do hostname verification on the certificate presented by the server to protect against a man-in-the-middle attack. Those are the two things necessary for a secure connection. If Connector/J does not do hostname verification, then the SSL connection is not secure in my book.

Unfortunately the default SSL implementation in Java doesn't support hostname verification, as such Connector/J is not doing it either. By setting the connection property 'verifyServerCertificate=true' and 'useSSL=true' together you force the driver to perform certificate validation against the provided TrustStore, but that's it.

WRT testing there are a few in testsuite.simple.ConnectionTest too, and you are right, none is testing a server certificate signed by a trusted CA because we don't have such certificates in the project sources.

Regarding the hostname verification issue you may file a feature request in the same bug system. We'll see what we can do about it.

Thank you for your interest in Connector/J

Options: ReplyQuote

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.