Menu
I am attempting to use the following setup to create an ssl connection to a MYSQL server. I noticed that when I specify verifyServerCertificate=false in the jdbc url, Java seems to ignore the keystore and truststore information I specified via System.setProperty. So I could comment out the code specified in 1) and the ssl connection will still be created successfully. When I specify verifyServerCertificate=true it seems to use the values set by 1). So my question is how is JDBC able to create an ssl connection when verifyServerCertificate=false, without using a client keystore and truststore? Thanks.
Java Code
1)
System.setProperty("javax.net.ssl.keyStore",(String) keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore",(String) trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",(String) trustStorePassword));
2)
String jdbcURL = "jdbc:mysql://192.11.11.111/database?verifyServerCertificate=false&useSSL=true&requireSSL=true";
3)
Connection con = DriverManager.getConnection(jdbcURL, dbuser, dbpassword);
MYSQL Server
Grant statement:
4)
'GRANT ALL PRIVILEGES ON *.* TO 'dbuser'@'%' IDENTIFIED BY PASSWORD \'*2343ASDFWETDFGDSFGSDFGSDSDFWERASF\' REQUIRE SSL WITH GRANT OPTION'
edit to my.cnf file
5)
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
Additional Information
6) I'm am using a certificate authority I created.
7) Response to query
show variables like '%ssl%';
have_openssl YES
have_ssl YES
ssl_ca /etc/mysql/certs/ca.pem
ssl_capath
ssl_cert /etc/mysql/certs/server-cert.pem
ssl_cipher
ssl_crl
ssl_crlpath
ssl_key /etc/mysql/certs/server-key.pem
493
For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
You can configure database connections for the to use the Secure Sockets Layer (SSL) protocol. The client must use the same public key certificate file as the server.
MySQL Connector/J uses SSL to encrypt all data that is communicated between the JDBC driver and the MySQL server.
Disabling SSL in MySQL If your requirement is to completely turn off SSL on MySQL server instead of the default option of 'enabled, but optional mode', we can do the following: Delete the *. pem certificate and key files in the MySQL data directory. Start MySQL with SSL option turned off.
Java can definitely establish an SSL connection without a client validating the certificate chain of the server.
The classes that are establishing the connection (javax.net.ssl classes) would normally treat the unverified server certificate with suspicion and would fail the handshake.
But they provide a way for the user's of those classes to in effect say "It's ok if the server's certificate doesn't validate, go ahead and establish the connection".
That is what's happening when you say verifyServerCertificate=false.
The SSL connection is perfectly valid from a cryptographic perspective but it is not an authenticated connection because you have no idea what the source of the server certificate is.
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
