Bug #6773 JDBC Driver Support for User Defined Certificate KeyStores
Submitted: 23 Nov 2004 15:52 Modified: 2 Dec 2008 16:11
Reporter: Benjamin Armintor Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Severity:S4 (Feature request)
Version:3.0.16 OS:Any (all)
Assigned to: CPU Architecture:Any

[23 Nov 2004 15:52] Benjamin Armintor
Description:
The MySQL JDBC driver uses the JVM default key store to establish and verify SSL database connections.  This causes administrative problems in web application containers, or other scenarios in which several applications will use the same JVM base, as follows:
1) Application developers must release private key passwords to server administrators to load TLS client certs
2) It effects a namespace collision if applications must use different client certs
3) It creates an unecessary coupling among the applications running in a JVM

How to repeat:
Attempt to use a bundled key store to establish an SSL connection nstead of the default key store. 

Suggested fix:
The addition of the following optional DriverProperties: clientCertificateKeyStoreType, clientCertificateKeyStoreUrl, clientCertificateKeyStorePassword, trustCertificateKeyStoreType, trustCertificateKeyStoreUrl, trustCertificateKeyStorePassword.  This would enable a user override of the first key store checked when establishing SSL database connections.  Use of a URL for the key stores would further allow web applications to use the ServletContext.getResource functionality in the J2EE spec.  The changes should be isolated to the NonRegisteringDriver, Connection, and MySQLIO classes in the com.mysql.jdbc package.  Patch attached.
[23 Nov 2004 15:53] Benjamin Armintor
proposed patch

Attachment: NonRegisteringDriver.java (application/octet-stream, text), 28.24 KiB.

[23 Nov 2004 15:54] Benjamin Armintor
proposed patch

Attachment: Connection.java (application/octet-stream, text), 148.60 KiB.

[23 Nov 2004 15:54] Benjamin Armintor
proposed patch

Attachment: MysqlIO.java (application/octet-stream, text), 98.87 KiB.

[9 Mar 2006 20:19] Ralf Hauser
see also Bug #17320
[2 Dec 2008 16:11] Tonci Grgin
Hi Benjamin. I believe this is fixed in c/J 5.1, see related Bug#36948:
    System.setProperty("javax.net.ssl.keyStore","c://jvms//jdk1.5.0//bin//bug36948");
    System.setProperty("javax.net.ssl.keyStorePassword","*****");
    System.setProperty("javax.net.ssl.trustStore","c://jvms//jdk1.5.0//bin//bug36948");
    System.setProperty("javax.net.ssl.trustStorePassword","******");