MySQL Bugs: #82124: Client certificate signed by unrecognised CA causes unhelpful error

Bug #82124	Client certificate signed by unrecognised CA causes unhelpful error
Submitted:	6 Jul 2016 11:03	Modified:	18 Jul 9:52
Reporter:	Richard Bradley	Email Updates:
Status:	Not a Bug	Impact on me:	None
Category:	Connector / J	Severity:	S3 (Non-critical)
Version:		OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
If you attempt to connect to MySQL using the JDBC connector and Java has access to a client certificate that MySQL cannot verify, then the connection will fail with the following exception:

  ! javax.net.ssl.SSLException: Unsupported record version Unknown-0.0
  ! at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) ~[na:1.8.0_91]
  ! at sun.security.ssl.InputRecord.readV3Record(InputRecord.java:565) ~[na:1.8.0_91]
  ! at sun.security.ssl.InputRecord.read(InputRecord.java:532) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[na:1.8.0_91]
  ! at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[na:1.8.0_91]
  ! at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:149) ~[user-portal-web-0.0.1.jar:0.0.1]
  ! ... 40 common frames omitted

It would be much more helpful if it failed with a descriptive message like "the server rejected your client certificate".

See also http://serverfault.com/questions/787778/mysql-jdbc-force-ignore-client-certificate-on-aws-...

How to repeat:
Create a self-signed cert with `keytool`.

Launch Java with the "-Djavax.net.ssl.keyStore" property set so that Java has access to your client certificate.

Connect to MySQL with a connection URL like:

  jdbc:mysql://my-server-id.eu-west-1.rds.amazonaws.com/my-database?verifyServerCertificate=true&useSSL=true&requireSSL=true

Hello Richard Bradley,

Thank you for the bug report.
Could you please provide repeatable test case (steps, sample code, full stack trace etc. - please make it as private if you prefer) to confirm this issue at our end?

Thanks,
Chiranjeevi.

Hi Chiranjeevi,

I already put repro steps on the bug, in the "How to repeat:" section.
Is there any particular step that you have been unable to follow?
I might be able to prepare a failing test if I get some free time.

Hello Richard Bradley,

Thank you for your feedback.
Could you please provide us full stack trace  to confirm this issue at our end?

Thanks,
Chiranjeevi.

Sure, here is the full stack trace:

Exception in thread "main" java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at <<< my application's code, connecting to MySQL via JDBC >>
Caused by: com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

The last packet successfully received from the server was 597 milliseconds ago.  The last packet sent successfully to the server was 590 milliseconds ago.
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:404)
        at com.mysql.jdbc.SQLError.createCommunicationsException(SQLError.java:981)
        at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:164)
        at com.mysql.jdbc.MysqlIO.negotiateSSLConnection(MysqlIO.java:4801)
        at com.mysql.jdbc.MysqlIO.proceedHandshakeWithPluggableAuthentication(MysqlIO.java:1643)
        at com.mysql.jdbc.MysqlIO.doHandshake(MysqlIO.java:1215)
        at com.mysql.jdbc.ConnectionImpl.coreConnect(ConnectionImpl.java:2255)
        at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2286)
        at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2085)
        at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:795)
        at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:44)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:404)
        at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:400)
        at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:327)
        at org.apache.tomcat.jdbc.pool.PooledConnection.connectUsingDriver(PooledConnection.java:307)
        at org.apache.tomcat.jdbc.pool.PooledConnection.connect(PooledConnection.java:200)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.createConnection(ConnectionPool.java:708)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.borrowConnection(ConnectionPool.java:642)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.init(ConnectionPool.java:464)
        at org.apache.tomcat.jdbc.pool.ConnectionPool.<init>(ConnectionPool.java:141)
        at org.apache.tomcat.jdbc.pool.DataSourceProxy.pCreatePool(DataSourceProxy.java:115)
        at org.apache.tomcat.jdbc.pool.DataSourceProxy.createPool(DataSourceProxy.java:102)
        at org.apache.tomcat.jdbc.pool.DataSourceProxy.getConnection(DataSourceProxy.java:126)
        at <<< my application's code, connecting to MySQL via JDBC >>
        ... 11 more
Caused by: javax.net.ssl.SSLException: Unsupported record version Unknown-0.0
        at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552)
        at sun.security.ssl.InputRecord.readV3Record(InputRecord.java:565)
        at sun.security.ssl.InputRecord.read(InputRecord.java:532)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(ExportControlled.java:149)
        ... 40 more

Hello Richard Bradley,

Thank you for your feedback.
Verified based on internal discussion with dev's.

Thanks,
Chiranjeevi.

Posted by developer:
 
This is certainly unfortunate, but at this level, we can't determine the exact reason why the connection fails. The best we can do is to report the actual stack trace, which we already do. To gather more information, you should enable SSL debug logging in Java using `-Djavax.net.debug=ssl` or by setting the system property `System.setProperty("javax.net.debug", "ssl");`.