Bug #86278 Support custom construction of SSLSocket during connection establishment
Submitted: 11 May 2017 6:16 Modified: 10 Apr 2018 1:48
Reporter: Jason Rahman Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Severity:S4 (Feature request)
Version:6.0.6 OS:Any
Assigned to: CPU Architecture:Any

[11 May 2017 6:16] Jason Rahman 
Description:
Currently, Connector/J supports a custom SocketFactory that supports returning a custom constructed socket at initial connection establishment via beforeHandshake(), and can provide a different (or the same) socket for use after the protocol handshake has completed via afterHandshake(). However, the afterHandshake() method currently cannot be used for constructing an SSLSocket, because the SSLSocket creation and SSL handshake must be performed mid-way through the MySQL handshake sequence, and the use of SSL itself alters the sequence of the handshake. There are a number of use-cases for customizing creation of the SSLSocket used, ranging from using optimized SSL libraries (JNI-wrapped OpenSSL), to leveraging customized certificate infrastructure, among others.

How to repeat:
As an initial experiment I attempted to create a custom socket factory that would create and return a SSLSocket in the afterHandshake() method in an implementation of SocketFactory. However, it failed because Connector/J did not send an SSL Request packet to MySQL Server so the server did not participate in the SSL handshake, which failed as a result. Further inspection of the Connection/J code revealed that the current behavior of afterHandshake() precludes its use to handle SSLSocket creation for SSL connections.

Suggested fix:
Support either a custom SSLSocketFactory (that accepts the Properties object passed in to the Driver.connect() call), or extend the SocketFactory interface with a new method to take over responsibility for wrapping the original Socket with an SSLSocket during the MySQL protocol handshake.
[17 May 2017 11:41] Alexander Soklakov 
Hi Jason,

Thanks for this request, we really should consider this functionality.
[14 Jun 2017 17:25] Jason Rahman 
Some further details, the exact issue in the code is that ConnectionImpl calls MysqlIO.doHandshake() here:
https://github.com/mysql/mysql-connector-j/blob/1f61b0b0270d9844b006572ba4e77f19c0f230d4/s...

MysqlIO.doHandshake() calls MysqlIO.negotiateSSLConnection() either here:
https://github.com/mysql/mysql-connector-j/blob/83c6dc41b96809df81444362933043b20a1d49d5/s...
or here:
https://github.com/mysql/mysql-connector-j/blob/83c6dc41b96809df81444362933043b20a1d49d5/s...

SocketFactory.afterHandshake() isn't called until this point: https://github.com/mysql/mysql-connector-j/blob/83c6dc41b96809df81444362933043b20a1d49d5/s...

So the call to SocketFactory.afterHandshake() is after MysqlIO.negotiateSSLConnection() was called which is when the SSLSocket is created and the SSL negotiation occurs.
[10 Apr 2018 1:48] Daniel So 
Posted by developer:
 
Added the following entry to the C/J 8.0.11 changelog:

"Connector/J now supports the use of a custom SSLSocketFactory for returning a custom-constructed SSL socket at the time of connection establishment."