Bug #80198 Incorrect SSL warning
Submitted: 29 Jan 2016 11:17 Modified: 24 Jan 2022 7:47
Reporter: Björn Voigt (OCA) Email Updates:
Status: Can't repeat Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version:5.1.38 OS:Any
Assigned to: CPU Architecture:Any

[29 Jan 2016 11:17] Björn Voigt 
Description:
If I connect with Connector/J to a MySQL 5.7.6+ server without SSL configuration I get the following warning:

"Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification."

But the comment is incorrect. The requirement is only checked for MySQL 5.7.6+, but not for 5.5.45+ and 5.6.26+. See mysql-connector-java-5.1.38/src/com/mysql/jdbc/MysqlIO.java:

        // Changing SSL defaults for 5.7+ server: useSSL=true, requireSSL=false, verifyServerCertificate=false
        if (versionMeetsMinimum(5, 7, 0) && !this.connection.getUseSSL() && !this.connection.isUseSSLExplicit()) {
            this.connection.setUseSSL(true);
            this.connection.setVerifyServerCertificate(false);
            this.connection.getLog().logWarn(Messages.getString("MysqlIO.SSLWarning"));
        }

How to repeat:
1) Install MySQL 5.7.6+ and 5.5.45+ or 5.6.26+
2) Do not configure SSL
3) Establish a Connector/J 5.1.38 connection with default parameters

Only MySQL 5.7.6+ produces the warning "Establishing SSL connection without server's ..." (see description).

Suggested fix:
Change the comment "MysqlIO.SSLWarning" or the Connector/J code.
[4 Feb 2016 9:28] Chiranjeevi Battula 
Hello Björn Voigt,

Thank you for the bug report and test case.
Verified this behavior on MySQL Server 5.7.10 with Connector / J 5.1.38 version.

Thanks,
Chiranjeevi.
[4 Feb 2016 9:29] Chiranjeevi Battula 
Message:

Thu Feb 04 14:49:25 IST 2016 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
[15 Feb 2018 14:13] Rohit Basu 
It suppress the warning but at the same time closing the connection

spring.datasource.url=jdbc:mysql://localhost/springdb?autoReconnect=true&useSSL=false

I get this:
2018-02-15 19:41:47.262  INFO 14044 --- [           main] edu.aspire.test.SpringJdbcTest           : Started SpringJdbcTest in 1.976 seconds (JVM running for 3.252)
Read customer details ........ 
2018-02-15 19:41:48.032  INFO 14044 --- [           main] o.s.b.f.xml.XmlBeanDefinitionReader      : Loading XML bean definitions from class path resource [org/springframework/jdbc/support/sql-error-codes.xml]
2018-02-15 19:41:48.541  INFO 14044 --- [           main] o.s.jdbc.support.SQLErrorCodesFactory    : SQLErrorCodes loaded: [DB2, Derby, H2, HSQL, Informix, MS-SQL, MySQL, Oracle, PostgreSQL, Sybase, Hana]
2018-02-15 19:41:48.569  INFO 14044 --- [       Thread-3] s.c.a.AnnotationConfigApplicationContext : Closing org.springframework.context.annotation.AnnotationConfigApplicationContext@292b08d6: startup date [Thu Feb 15 19:41:45 IST 2018]; root of context hierarchy

My code is: 

@Autowired
	ApplicationContext context;
	@Test
	public void testSpringJdbc() {
		
		EmployeeDao empdao = (EmployeeDao)context.getBean("empdao");
		System.out.println("Read customer details ........ ");
		Employee e = new Employee();
		e.setEno(1);
		e.setEname("Rohit");
		e.setDesig("Developer");
		e.setSal(1000.0);
		empdao.save(e);
		System.out.println("Record inserted successfully...");
		
		System.out.println("Read customer details");
		Employee emp = empdao.get(1);
		System.out.println(emp.getEno()+"\t"+emp.getEname()+"\t"+emp.getDesig()+"\t"+emp.getSal());
	}
[24 Jan 2022 7:47] Alexander Soklakov 
Posted by developer:
 
This bug is not reproducible with the latest Connector/J 8.0.

Connector/J 5.1 series came to EOL on Feb 9th, 2021, see https://www.mysql.com/support/eol-notice.html, so this bug will not be fixed there.