CODEWITHSUNDEEP
javamysqlsslencryptionjdbc
yin yang
yin yang

Reputation: 229

MySQL JDBC encryption using SSL

MySQL Server (Remote machine running on Red Hat 7 OS and MySQL version is 5.7.11) is enabled with SSL on it as can be seen below : 

+---------------+--------------------------------+
| Variable_name | Value                          |
+---------------+--------------------------------+
| have_openssl  | YES                            |
| have_ssl      | YES                            |
| ssl_ca        | /var/lib/mysql/ca.pem          |
| ssl_capath    |                                |
| ssl_cert      | /var/lib/mysql/server-cert.pem |
| ssl_cipher    |                                |
| ssl_crl       |                                |
| ssl_crlpath   |                                |
| ssl_key       | /var/lib/mysql/server-key.pem  |

I am trying to establish a JDBC encryption using SSL (not authentication) from my local machine(windows).Below is the JDBC code which does that : 

import java.sql.*;

public class MysqlConnect
{
    public static void main (String[] args)
    {
        try
        {
            //System.setProperty("javax.net.ssl.trustStore", "cacerts");
            //System.setProperty("javax.net.ssl.trustStorePassword", "changeit");    ( Works with truststore values , but gives the error below without it)
            Class.forName("com.mysql.jdbc.Driver").newInstance();
            String url = "jdbc:mysql://IPAddress:3306/DBName?
            verifyServerCertificate=false&useSSL=true&requireSSL=true";
            String user = "root";
            String password = "password";
            Connection con = DriverManager.getConnection(url,user,password);
        }
        catch (Exception ex)
        {
            ex.printStackTrace();
        }
    }
}

I have followed this link to create certificates : https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html . Now if I add server certificate to C:\Program Files\Java\jdk1.8\jre\lib\security\cacerts and use this truststore I do see an encrypted connection in wireshark , however if I do not provide a truststore name and password I get the following error(The reason I do so is because according to my understanding unlike ssl authentication ,jdbc encryption using ssl should not require client truststore parameters) : 

javax.net.ssl.SSLHandshakeException
MESSAGE: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

STACKTRACE:

javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source) .

My question is , does one needs to add server certificate to client truststore(and provide truststore details) even when trying to do only jdbc encryption using ssl (not SSL authentication) ?.

I have already seen this associated link :

JDBC parameter verifyServerCertificate=false connects without the need for a clientkeystore and truststore

but I still get the error with verifyServerCertificate=false ( is it dependent on MySQL version or use of self signed certificate ) ?

Upvotes: 1

Views: 2996

Answers (2)

user207421
user207421

Reputation: 311018

JDBC encryption using SSL should not require client truststore parameters

What makes you think that? You are mistaken. It does, if you are using self-signed certificates.

Upvotes: -1

yin yang
yin yang

Reputation: 229

The code works fine from a different system and I can establish a secure connection, Exact reason as to why it fails is still unknown however this is my hypothesis -> even though I am not using cacerts(truststore) in my jdbc code it seems like the remote server has saved client identity somewhere and is still referring to that .

If someone is facing similar issue you may try recreating server certificates and restart your db server and just for sanity purpose remove corresponding certificates from truststore or create and use a new truststore.

In wireshark you should see something like this : 

1   source IP   Dest IP TLSv1.2 220 Client Hello
2   Dest IP     source IP TLSv1.2   1140    Server Hello, Certificate, Server Key Exchange, Server Hello Done
3   source IP   Dest IP TLSv1.2 129 Client Key Exchange
4   source IP   Dest IP TLSv1.2 60  Change Cipher Spec
5   source IP   Dest IP TLSv1.2 99  Encrypted Handshake Message

If you see this in wireshark that means you are now connected via an ssl enycrypted link (obviously this is just a work around as root cause of this behavior is still not known ) .

Upvotes: 0

Related Questions