Bug #92903 MySQL Connector/j should support wildcard names or alternative names
Submitted: 23 Oct 2018 15:34 Modified: 1 Aug 2020 21:51
Reporter: Andrew Garner Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version:8.0.13 OS:Any
Assigned to: CPU Architecture:Any

[23 Oct 2018 15:34] Andrew Garner
Description:
Unlike the current openssl 1.0.2+ based libmysqlclient, mysql connector/j 8.0.13 with sslMode=VERIFY_IDENTITY does not support wildcard or SAN certificates.   This results in an error in an environment with wildcard certificates when enabling the verify_identity option:

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server certificate identity check failed. The certificate Common Name '*.foo.internal' does not match with 'fqdn.foo.internal'.

By code inspection, it seems only an equality check against the common name is done and even subject alternative names are ignored presently:

https://github.com/mysql/mysql-connector-j/blob/66459e9d39c8fd09767992bc592acd2053279be6/s...

This is a feature request to improve support for subject name matching when using sslMode=VERIFY_IDENTITY in mysql connector/j 8.0.13+.

How to repeat:
Attempt a connection to a MySQL server configured for TLS with a wildcard subject name.   Watch the connection attempt fail with a java.security.cert.CertificateException due to the wildcard name not matching the common name.
[24 Oct 2018 7:23] MySQL Verification Team
Hello Andrew,

Thank you for the report.
Verifying as a feature request after discussing internally with Alex.

regards,
Umesh
[3 Jun 2020 7:17] Daniël van Eeden
https://github.com/mysql/mysql-connector-j/pull/49
[3 Jun 2020 7:18] Daniël van Eeden
Related:
Bug #93301 
Bug #68052
[3 Jun 2020 13:52] Daniël van Eeden
Bug #99767 has the contribution
[1 Aug 2020 21:51] Daniel So
Posted by developer:
 
Added the following entry to the Connector/J 8.0.22 changelogs: 

"Connector/J now supports server identity verification with wildcard SSL certificates and Subject Alternative Name (SAN) certificates. Thanks to Daniël van Eeden for contributing the patch."
[4 Sep 2020 17:11] Daniel Bauman
I submitted bug report https://bugs.mysql.com/bug.php?id=100744

The SAN issue reported in this bug was fixed but the wildcard cert issue remains unresolved.
[4 Sep 2020 17:58] Filipe Silva
Bug#100744 is a duplicate of this one.