Bug #512 JDBC SSL and JSSE 1.0.3_02 on Java Runtime 1.2/1.3 fails.
Submitted: 26 May 2003 16:11 Modified: 7 Aug 2003 15:15
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
Category:Connector / J Severity:S1 (Critical)
Version:3.0.7 and later OS:All Java compliant
Assigned to: Mark Matthews CPU Architecture:Any

[26 May 2003 16:11] [ name withheld ]
The current release of JConnector will not function with the optional JSSE 1.0.3_02 when a SSL connection is required from Java 1.2/3.

MySqlIO.java contains the following Java 1.4 only method:

The JSSE 1.0.3_02 functionality should be as follows:

SSLContext c = SSLContext.getInstance("TLSv1");
SSLSocketFactory f = c.getSSLSocketFactory();

However this will also fail due to a (posted today) bug in the JSSE 1.0.3_02 implementation. The above SSLSocketFactory is not implementing a strict TLSv1/SSLv3.1 handshake as requested (it sends a SSLv2 header), and the connection will break.

How to repeat:
Set useSSL=true in the JDBC connect url and attempt a connection when JSSE 1.0.3_02 is being used from a 1.2 or 1.3 Java Runtime. Debugging SSL (As specified in the JConnector Readme) reveals an SSLv2 handshake and the subsequent failure.

Suggested fix:
There is currently no fix for this situation. The JConnector documentation should clearly state that it will currently not function with SSL under the above circumstances. SSL will ONLY function when using a Java 1.4x runtime.

MySql is correctly implementing a strict TLSv1 handshake. It should be possible to modify the MySql handshake to allow the SSLv2 header to be sent, which is allowable for backwards compatibility but is not recommended.

RFC 2246 Backward Compatibility With SSL.

Due to the large number of Java 1.2/1.3 clients that could benefit from a SSL connection to MySql maybe this could be implemented as an option to MySql?
[7 Aug 2003 15:15] Mark Matthews
The documentation has been updated. Because of the issues involved, we will not be changing the SSL handshake in the server unless there is overwhelming evidence in the community that it is something we need to do.

Thank you for your very detailed bug report!