How to make an SSL connection to MySQL using MariaDB Connector/J?

Question

I'm using MySQL 5.7.10 with SSL enabled and certificates generated as per these instructions. My Java 7 application uses a MariaDB Connector/J and SSL is enabled in the JDBC URL:

jdbc:mysql://dbservername:3306/dbname?useSSL=true&trustServerCertificate=false

But the connection fails with:

Caused by: java.lang.RuntimeException: Could not generate DH keypair
...
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of
64, and can only range from 512 to 1024 (inclusive)

According to this blog post, the problem could be resolved by:

1. Upgrading to Java 8 (or higher).
2. Downgrading to MySQL 5.7.5 (or lower).
3. Excluding Diffie-Hellman (DH) ciphers.

(1) isn't an option on the project I'm working on. (2) seems restrictive and would prevent access to future MySQL improvements. (3) seems the most promising: I've verified it does work with MySQL connector/J but unfortunately its GPL license prevents me from being able to use it on my project.

Does MariaDB Connector/J have an equivalent property to enabledSSLCipherSuites or is there any other way to prevent it from using DH ciphers when connecting?

Answer 1

The requested feature options have now been implemented in MariaDB Connector/J version 1.5.0-RC:

enabledSslProtocolSuites Force TLS/SSL protocol to a specific set of TLS versions (comma separated list). Example : "TLSv1, TLSv1.1, TLSv1.2" Default: TLSv1, TLSv1.1. Since 1.5.0

enabledSslCipherSuites Force TLS/SSL cipher (comma separated list). Example : "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" Default: use JRE ciphers. Since 1.5.0

(See the comments below the question, the release notes and this Jira ticket.)