{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 唯我独甜 的问题《JDBC parameter verifyServerCertificate=false conne》','https://www.manongdao.com/q-313529.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am attempting to use the following setup to create an ssl connection to a MYSQL server. I noticed that when I specify verifyServerCertificate=false in the jdbc url, Java seems to ignore the keystore and truststore information I specified via System.setProperty. So I could comment out the code specified in 1) and the ssl connection will still be created successfully. When I specify verifyServerCertificate=true it seems to use the values set by 1). So my question is how is JDBC able to create an ssl connection when verifyServerCertificate=false, without using a client keystore and truststore? Thanks.
Java Code
1)
System.setProperty("javax.net.ssl.keyStore",(String) keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore",(String) trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",(String) trustStorePassword));
2)
String jdbcURL = "jdbc:mysql://192.11.11.111/database?verifyServerCertificate=false&useSSL=true&requireSSL=true";
3)
Connection con = DriverManager.getConnection(jdbcURL, dbuser, dbpassword);
MYSQL Server
Grant statement:
4)
'GRANT ALL PRIVILEGES ON *.* TO 'dbuser'@'%' IDENTIFIED BY PASSWORD \'*2343ASDFWETDFGDSFGSDFGSDSDFWERASF\' REQUIRE SSL WITH GRANT OPTION'
edit to my.cnf file
5)
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
Additional Information
6) I'm am using a certificate authority I created.
7) Response to query
show variables like '%ssl%';
have_openssl YES
have_ssl YES
ssl_ca /etc/mysql/certs/ca.pem
ssl_capath
ssl_cert /etc/mysql/certs/server-cert.pem
ssl_cipher
ssl_crl
ssl_crlpath
ssl_key /etc/mysql/certs/server-key.pem
Java can definitely establish an SSL connection without a client validating the certificate chain of the server.
The classes that are establishing the connection (javax.net.ssl classes) would normally treat the unverified server certificate with suspicion and would fail the handshake.
But they provide a way for the user's of those classes to in effect say "It's ok if the server's certificate doesn't validate, go ahead and establish the connection".
That is what's happening when you say verifyServerCertificate=false.
The SSL connection is perfectly valid from a cryptographic perspective but it is not an authenticated connection because you have no idea what the source of the server certificate is.