Description:
The current release of JConnector will not function with the optional JSSE 1.0.3_02 when a SSL connection is required from Java 1.2/3.
MySqlIO.java contains the following Java 1.4 only method:
SSLContext.setEnabledProtocols("TLSv1");
The JSSE 1.0.3_02 functionality should be as follows:
SSLContext c = SSLContext.getInstance("TLSv1");
c.init(mykeystore,mytruststore,mysecurerandom);
SSLSocketFactory f = c.getSSLSocketFactory();
However this will also fail due to a (posted today) bug in the JSSE 1.0.3_02 implementation. The above SSLSocketFactory is not implementing a strict TLSv1/SSLv3.1 handshake as requested (it sends a SSLv2 header), and the connection will break.
How to repeat:
Set useSSL=true in the JDBC connect url and attempt a connection when JSSE 1.0.3_02 is being used from a 1.2 or 1.3 Java Runtime. Debugging SSL (As specified in the JConnector Readme) reveals an SSLv2 handshake and the subsequent failure.
Suggested fix:
There is currently no fix for this situation. The JConnector documentation should clearly state that it will currently not function with SSL under the above circumstances. SSL will ONLY function when using a Java 1.4x runtime.
MySql is correctly implementing a strict TLSv1 handshake. It should be possible to modify the MySql handshake to allow the SSLv2 header to be sent, which is allowable for backwards compatibility but is not recommended.
RFC 2246 Backward Compatibility With SSL.
Due to the large number of Java 1.2/1.3 clients that could benefit from a SSL connection to MySql maybe this could be implemented as an option to MySql?
Description: The current release of JConnector will not function with the optional JSSE 1.0.3_02 when a SSL connection is required from Java 1.2/3. MySqlIO.java contains the following Java 1.4 only method: SSLContext.setEnabledProtocols("TLSv1"); The JSSE 1.0.3_02 functionality should be as follows: SSLContext c = SSLContext.getInstance("TLSv1"); c.init(mykeystore,mytruststore,mysecurerandom); SSLSocketFactory f = c.getSSLSocketFactory(); However this will also fail due to a (posted today) bug in the JSSE 1.0.3_02 implementation. The above SSLSocketFactory is not implementing a strict TLSv1/SSLv3.1 handshake as requested (it sends a SSLv2 header), and the connection will break. How to repeat: Set useSSL=true in the JDBC connect url and attempt a connection when JSSE 1.0.3_02 is being used from a 1.2 or 1.3 Java Runtime. Debugging SSL (As specified in the JConnector Readme) reveals an SSLv2 handshake and the subsequent failure. Suggested fix: There is currently no fix for this situation. The JConnector documentation should clearly state that it will currently not function with SSL under the above circumstances. SSL will ONLY function when using a Java 1.4x runtime. MySql is correctly implementing a strict TLSv1 handshake. It should be possible to modify the MySql handshake to allow the SSLv2 header to be sent, which is allowable for backwards compatibility but is not recommended. RFC 2246 Backward Compatibility With SSL. Due to the large number of Java 1.2/1.3 clients that could benefit from a SSL connection to MySql maybe this could be implemented as an option to MySql?