Bug #90956 How to enforce host name verification while verifying server certificate for SSL
Submitted: 22 May 2018 3:46 Modified: 19 Jan 2022 13:41
Reporter: kriti suwalka Email Updates:
Status: Won't fix Impact on me:
None 
Category:Connector / J Severity:S4 (Feature request)
Version:5.1.44 OS:Windows
Assigned to: CPU Architecture:x86

[22 May 2018 3:46] kriti suwalka 
Description:
We have ODBC connection property SSLMODE which can be set to VERIFY_IDENTITY to enforce host name identify verification but we couldn't find any corresponding JDBC property which does the same. Setting below combination will enforce server certificate validation but not host name identity
useSSL=true && requireSSL=true && verifyServerCertificate=true

We would like to know how can host name identity verification be enforced for JDBC driver when using SSL.

Below documentation doesn't have enough information
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-propertie...

How to repeat:
jdbcConnectionURL = "jdbc:mysql://<hostName>:3306/<DbName>?useSSL=true&requireSSL=true&verifyServerCertificate=true&trustCertificateKeyStoreUrl=file:C:\\SSL\\mysql_new\\truststore&trustCertificateKeyStorePassword=JKSTrustStorePassword&clientCertificateKeyStoreUrl=file:C:\\SSL\\mysql_new\\keystore&clientCertificateKeyStorePassword=PKCSKeyStorePassword&enabledSSLCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA256";
[29 May 2018 23:02] Filipe Silva 
Hi Kriti,

Thanks for taking the time to report this issue.

Sadly this feature isn't available in Connector/J for JDBC connections.

I understand this is a serious issue for you, but at most, what we can do is to take it as a feature request and then we'll try to fit it into our plans, if possible.

So, instead of me closing the bug as "won't fix" I would suggest you to change its severity to "S4 (feature request)". Would that work for you?
[25 Jun 2018 4:23] kriti suwalka 
Sure..Could you let me know which version are you planning to have fix in ?
[26 Jun 2018 14:02] Filipe Silva 
I can't give you any prediction, sorry.

I can't even promise that this will be ever implemented in Connector/J 5.1. There's a much higher probability for this to become available in Connector/J 8.0. So, I would start recommending an upgrade to Connector/J 8.0 series.

Changing severity to S4.

Thanks,
[19 Jan 2022 13:41] Alexander Soklakov 
Posted by developer:
 
The sslMode=VERIFY_IDENTITY is available in Connector/J 8.0 since 8.0.13.

Connector/J 5.1 series came to EOL on Feb 9th, 2021, see https://www.mysql.com/support/eol-notice.html, so this feature will not be implemented there.