Description:
Unlike the current openssl 1.0.2+ based libmysqlclient, mysql connector/j 8.0.13 with sslMode=VERIFY_IDENTITY does not support wildcard or SAN certificates.   This results in an error in an environment with wildcard certificates when enabling the verify_identity option:

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server certificate identity check failed. The certificate Common Name '*.foo.internal' does not match with 'fqdn.foo.internal'.

By code inspection, it seems only an equality check against the common name is done and even subject alternative names are ignored presently:

https://github.com/mysql/mysql-connector-j/blob/66459e9d39c8fd09767992bc592acd2053279be6/s...

This is a feature request to improve support for subject name matching when using sslMode=VERIFY_IDENTITY in mysql connector/j 8.0.13+.

How to repeat:
Attempt a connection to a MySQL server configured for TLS with a wildcard subject name.   Watch the connection attempt fail with a java.security.cert.CertificateException due to the wildcard name not matching the common name.

Hello Andrew,

Thank you for the report.
Verifying as a feature request after discussing internally with Alex.

regards,
Umesh

https://github.com/mysql/mysql-connector-j/pull/49

Related:
Bug #93301 
Bug #68052

Bug #99767 has the contribution

Posted by developer:
 
Added the following entry to the Connector/J 8.0.22 changelogs: 

"Connector/J now supports server identity verification with wildcard SSL certificates and Subject Alternative Name (SAN) certificates. Thanks to Daniël van Eeden for contributing the patch."

I submitted bug report https://bugs.mysql.com/bug.php?id=100744

The SAN issue reported in this bug was fixed but the wildcard cert issue remains unresolved.

Bug#100744 is a duplicate of this one.