Bug #65992 JDBC conn. enforces SSL on mysql_clear_password auth while C client lib doesn't
Submitted: 24 Jul 2012 8:46 Modified: 24 Jul 2012 13:36
Reporter: Hartmut Holzgraefe Email Updates:
Status: Won't fix Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version:mysql-connector-java-5.1.21 OS:Any
Assigned to: CPU Architecture:Any

[24 Jul 2012 8:46] Hartmut Holzgraefe 
Description:
The manual page on clear text client side authentication says:

  [...] clients should connect to MySQL Server using a method 
  that protects the password. Possibilities include SSL ([...]), 
  IPsec, or a private network. 

The Connector/J implementation of the mysql_clear_password plugin 
refuses to work unless the client connection is guaranteed to be
using SSL though, so ruling out any of the other protection methods
that work on lower levels of the network stack (and so are transparent
to the actual connector itself).

How to repeat:
Try to use a server side authentication plugin that requires mysql_clear_password on the client side, see how it works fine with everything that builds upon the libmysqlclient C library, e.g. the mysql command line client, even without SSL, and see how Connector/J refuses non-SSL connections with

  SSL connection required for plugin 'mysql_clear_password'. 
  Check if "useSSL" is set to "true".

Suggested fix:
I understand the idea to prevent clear text password transmission when only a default connection string is given. Restricting things to SSL only seems to be to narrow though, especially if the client<->server connection has already been protected by other means (IPsec, encrypted tunnel, VPN ...)

As such mechanisms are transparent to the connector it would need to be informed about the fact that the underlying connection can be considered as confidential,
e.g. by an extra jdbc URL property, e.g. named "confidentialConnection" which defaults to false?
[24 Jul 2012 12:41] Sveta Smirnova 
Thank you for the report.

Do you use one of existing MySQL plugins or your own? Please also send configuration options for Connector/J.

As written at http://dev.mysql.com/doc/refman/5.0/en/connector-j-using-pam.html SSL capability should be enabled and I want to check if it is for PAM only or for other cases too.
[24 Jul 2012 13:36] Mark Matthews 
This is as-intended. Until the protocol is changed so that just the handshake  portion can be *ensured* to be cryptographically protected, the driver will not send passwords in the clear.