Description:
The JDBC connector defaults to sslMode 'PREFERRED' which corresponds to {"useSSL=true", "requireSSL=false", "verifyServerCertificate=false"} per https://dev.mysql.com/doc/connector-j/en/connector-j-connp-props-security.html.
However verifyServerCertificate=false does not fully ignore the content of the server certificate -- instead first checking the expiration status, *then* skips the rest of the validity checks based on the value of verifyServerCertificate.
This can create unexpected behavior whereby the user expects the client to not care about the content of the server SSL certificate, but in fact one attribute is still tested.
How to repeat:
Using default configuration, connect to a MySQL database that has an expired SSL certificate.
Suggested fix:
Migrate the expiration check, such as at https://github.com/mysql/mysql-connector-j/blob/e0e8e3461e5257ba4aa19e6b3614a2685b298947/s..., into the block gated by the value of validateServerCert.
Description: The JDBC connector defaults to sslMode 'PREFERRED' which corresponds to {"useSSL=true", "requireSSL=false", "verifyServerCertificate=false"} per https://dev.mysql.com/doc/connector-j/en/connector-j-connp-props-security.html. However verifyServerCertificate=false does not fully ignore the content of the server certificate -- instead first checking the expiration status, *then* skips the rest of the validity checks based on the value of verifyServerCertificate. This can create unexpected behavior whereby the user expects the client to not care about the content of the server SSL certificate, but in fact one attribute is still tested. How to repeat: Using default configuration, connect to a MySQL database that has an expired SSL certificate. Suggested fix: Migrate the expiration check, such as at https://github.com/mysql/mysql-connector-j/blob/e0e8e3461e5257ba4aa19e6b3614a2685b298947/s..., into the block gated by the value of validateServerCert.