Bug #86564 Document one- and two-way SSL auth and if cert is signed by trusted CA
Submitted: 2 Jun 2017 15:39 Modified: 22 Jan 2018 20:04
Reporter: J. Lewis Muir Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Documentation Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: CPU Architecture:Any

[2 Jun 2017 15:39] J. Lewis Muir 
Description:
The documentation at

  https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html

seems to describe only the case of two-way SSL authentication using self-signed client and server certificates.  This is misleading for someone who wants to do SSL authentication like a web browser would: one-way SSL authentication without a client certificate and with a server certificate that has been signed by a trusted CA and where hostname verification is performed on the certificate presented by the server to protect against a man-in-the-middle attack.

Filipe Silva suggested filing this documentation bug in the forum post at

  https://forums.mysql.com/read.php?39,657705,657888#msg-657888

How to repeat:
n/a

Suggested fix:
It would be good to describe how to do the following:

1. One-way SSL authentication without a client certificate and using a server certificate that has been signed by a trusted CA where the trusted CA root is already in the default Java TrustStore of the JDK/JRE and where Connector/J performs hostname verification on the certificate presented by the server to protect against a man-in-the-middle attack.  This is the typical SSL connection method used by a web browser when connecting to an HTTPS server.  It would be really nice if there was no need to supply *any* Java TrustStore files for this case!

2. One-way SSL authentication without a client certificate and using a self-signed server certificate.  If the server certificate will not be included in the client TrustStore (e.g., just the self-signed intermediates (if any) and the self-signed root are included), then it should also describe that hostname verification on the certificate presented by the server is enabled by default (I hope) and how to disable hostname verification (assuming the default is enabled).

3. Two-way SSL authentication with a client and server certificate that have both been signed by a trusted CA where the trusted CA root is already in the default Java TrustStore and where Connector/J performs hostname verification on the certificate presented by the server.

4. Two-way SSL authentication with a self-signed client certificate and a server certificate that has been signed by a trusted CA where the trusted CA root is already in the default Java TrustStore and where Connector/J performs hostname verification on the certificate presented by the server.

5. Two-way SSL authentication with a client and server certificate that have both been self-signed.  I think this is the closest to what the documentation currently describes.  If the server certificate will not be included in the client TrustStore (e.g., just the self-signed intermediates (if any) and the self-signed root are included), then it should also describe that hostname verification on the certificate presented by the server is enabled by default (I hope) and how to disable hostname verification (assuming the default is enabled).
[5 Jun 2017 7:03] Chiranjeevi Battula 
Hello   Lewis,

Thank you for the bug report.

Thanks,
Chiranjeevi.
[22 Jan 2018 20:04] Daniel So 
Posted by developer:
 
The referenced section of the Connector/J manual has been updated with information on how to connect securely to the server and how to use one or two way authentication.