Bug #82124 Client certificate signed by unrecognised CA causes unhelpful error
Submitted: 6 Jul 2016 11:03 Modified: 4 Aug 2016 5:23
Reporter: Richard Bradley Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: CPU Architecture:Any

[6 Jul 2016 11:03] Richard Bradley 
Description:
If you attempt to connect to MySQL using the JDBC connector and Java has access to a client certificate that MySQL cannot verify, then the connection will fail with the following exception:

  ! javax.net.ssl.SSLException: Unsupported record version Unknown-0.0
  ! at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) ~[na:1.8.0_91]
  ! at sun.security.ssl.InputRecord.readV3Record(InputRecord.java:565) ~[na:1.8.0_91]
  ! at sun.security.ssl.InputRecord.read(InputRecord.java:532) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_91]
  ! at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:149) ~[user-portal-web-0.0.1.jar:0.0.1]
  ! ... 40 common frames omitted

It would be much more helpful if it failed with a descriptive message like "the server rejected your client certificate".

See also http://serverfault.com/questions/787778/mysql-jdbc-force-ignore-client-certificate-on-aws-...

How to repeat:
Create a self-signed cert with `keytool`.

Launch Java with the "-Djavax.net.ssl.keyStore" property set so that Java has access to your client certificate.

Connect to MySQL with a connection URL like:

  jdbc:mysql://my-server-id.eu-west-1.rds.amazonaws.com/my-database?verifyServerCertificate=true&useSSL=true&requireSSL=true
[18 Jul 2016 13:01] Chiranjeevi Battula 
Hello Richard Bradley,

Thank you for the bug report.
Could you please provide repeatable test case (steps, sample code, full stack trace etc. - please make it as private if you prefer) to confirm this issue at our end?

Thanks,
Chiranjeevi.
[19 Jul 2016 9:42] Richard Bradley 
Hi Chiranjeevi,

I already put repro steps on the bug, in the "How to repeat:" section.
Is there any particular step that you have been unable to follow?
I might be able to prepare a failing test if I get some free time.
[3 Aug 2016 13:20] Chiranjeevi Battula 
Hello Richard Bradley,

Thank you for your feedback.
Could you please provide us full stack trace  to confirm this issue at our end?

Thanks,
Chiranjeevi.
[3 Aug 2016 13:33] Richard Bradley 
Sure, here is the full stack trace:

Exception in thread "main" java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at <<< my application's code, connecting to MySQL via JDBC >>
Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 597 milliseconds ago.  The last packet sent successfully to the server was 590 milliseconds ago.
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:404)
        at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:981)
        at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:164)
        at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4801)
        at com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1643)
        at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1215)
        at com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2255)
        at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2286)
        at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2085)
        at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:795)
        at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:44)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:404)
        at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:400)
        at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:327)
        at org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:307)
        at org.apache.tomcat.jdbc.pool.PooledConnection.connect(PooledConnection.java:200)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.createConnection(ConnectionPool.java:708)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:642)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.init(ConnectionPool.java:464)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.<init>(ConnectionPool.java:141)
        at org.apache.tomcat.jdbc.pool.DataSourceProxy.pCreatePool(DataSourceProxy.java:115)
        at org.apache.tomcat.jdbc.pool.DataSourceProxy.createPool(DataSourceProxy.java:102)
        at org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:126)
        at <<< my application's code, connecting to MySQL via JDBC >>
        ... 11 more
Caused by: javax.net.ssl.SSLException: Unsupported record version Unknown-0.0
        at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552)
        at sun.security.ssl.InputRecord.readV3Record(InputRecord.java:565)
        at sun.security.ssl.InputRecord.read(InputRecord.java:532)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:149)
        ... 40 more
[4 Aug 2016 5:23] Chiranjeevi Battula 
Hello Richard Bradley,

Thank you for your feedback.
Verified based on internal discussion with dev's.

Thanks,
Chiranjeevi.