Bug #91969 | client certificate is being validated even if client authentication is disabled | ||
---|---|---|---|
Submitted: | 10 Aug 2018 16:20 | Modified: | 19 Jun 2021 0:32 |
Reporter: | kriti suwalka | Email Updates: | |
Status: | No Feedback | Impact on me: | |
Category: | MySQL Server: Security: Encryption | Severity: | S4 (Feature request) |
Version: | 5.7.17 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | Client Cert, MySQL, SSL |
[10 Aug 2018 16:20]
kriti suwalka
[14 Aug 2018 6:42]
Alexander Soklakov
Hi Kriti, The problem can be on a client side. When you provide a client certificate via keyStore you also need to provide it's CA via trustStore because JVM also tries to validate it. So, did you put this CA to your app-truststore.jks?
[14 Aug 2018 6:45]
Alexander Soklakov
Please check https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-using-ssl.html describing truststore and keystore preparation.
[14 Aug 2018 7:04]
Alexander Soklakov
OTOH it could really happen on server side. Please clarify what does the "client authentication is not enabled on server side" mean, what is the server SSL configuration?
[20 Aug 2018 16:31]
kriti suwalka
I have not created a user using "Require x509" so as per below article https://dev.mysql.com/doc/refman/8.0/en/create-user.html#create-user-tls client authentication is not enabled meaning client certificate won't be authenticated. My question is if DB user is not created using "Require x509", why server is trying to validate client certificate ? Ideally it should skip it.
[23 Aug 2018 15:12]
MySQL Verification Team
Hi, In order to diagnose the problem, we need full server's configuration, including a full SSL configuration.
[24 Aug 2018 3:59]
kriti suwalka
Could you be more specific in terms of what all details you need from server configuration ?
[24 Aug 2018 12:09]
MySQL Verification Team
Hi, First of all, see if the problem persists with 5.7.22, as there are many bugs fixed interim. Second, please upload your server's my.cnf to this bug report, by using "Files" tab. That way your configuration will be viewable only by Oracle employees.
[28 Aug 2018 4:51]
kriti suwalka
Hi, We currently don't have any SSL enabled instance with 5.7.22 version. I am attaching my.cnf file as requested for the current server we faced issue with. Meanwhile we will try to setup a 5.7.22 server with SSL.
[28 Aug 2018 12:30]
MySQL Verification Team
Hi, Please try 5.7.22 and also reply to all other question that are asked in this page by our Alexander Soklakov. Thanks in advance.
[29 Aug 2018 11:51]
MySQL Verification Team
Hi, We managed to reproduce your test case even with the latest 5.7 release of our server and client. That is, client cert not signed by server's CA does not work. Note that the opposite direction (server's cert not signed by the client CA) works just fine. We think that the server always verifies the certificates provided by users. And there's no way to tell it not to (as we have on the client via --ssl-mode). Note that this is a safe assumption to make too. Based on this evidence, we concluded that this report is a feature request. Verified as a feature request.
[19 May 2021 0:32]
Filipe Silva
As explained before, as long as there is a client key/certificate configured in Java system wide or through Connector/J `clientCertificateKeyStoreUrl` option, the client certificate is sent automatically while negotiating the secure socket with the server. The server, for its part, must be able to validate such certificate. The client certificate validation you are talking about happens in a latter phase, when the secure socket is already established, so not enabling it has no effect on this process. Currently there is a solution for this but it won't be implemented in Connector/J 5.1 since it is EOL now. Connector/J 8.0.22 introduced two new connection options that should do what you are requesting - `fallbackToSystemTrustStore` and `fallbackToSystemKeyStore`. Namely, setting `fallbackToSystemKeyStore=false` should do what you need. See details in https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html Please give it a try and let us know if it works for you.
[19 Jun 2021 1:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".