Bug #95526 SslCa option should not be an alias of CertificateFile
Submitted: 24 May 2019 15:43 Modified: 27 May 2019 7:33
Reporter: Bradley Grainger (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / NET Severity:S3 (Non-critical)
Version:8.0.16 OS:Any
Assigned to: CPU Architecture:Any

[24 May 2019 15:43] Bradley Grainger
Description:
Connector/NET 8.0.16 added a SslCa connection string option for the regular MySQL protocol. This option specifies a CA certificate that should be used to trust the server's certificate. Unfortunately, this new option is aliased with CertificateFile, which is the existing option to specify a client SSL certificate for mutual authentication.

The documentation at https://dev.mysql.com/doc/connector-net/en/connector-net-8-0-connection-options.html says:

> Based on the type of certificates being used, this option either specifies the path to a certificate file in PKCS #12 format (.pfx) or the path to a file in PEM format (.pem) that contains a list of trusted SSL certificate authorities (CA).

This doesn't really make sense. There are two separate concerns here:

1) Specifying a trusted CA, in PEM format.
2) Specifying the client's certificate either as one PFX file or two PEM files.

There's no technological reason why you couldn't specify a PFX file for the client _and_ a CA for the server. However, this is currently impossible because SslCa and CertificateFile are aliases for each other.

How to repeat:
Run the following C# code. You can see that you can't specify both SslCa and CertificateFile at the same time.

MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
	SslCa = "ca.pem",
};

Console.WriteLine(csb.ConnectionString); // certificatefile=ca.pem
Console.WriteLine(csb.CertificateFile); // ca.pem
Console.WriteLine(csb.SslCa); // ca.pem

MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
	CertificateFile = "file.pfx",
};

Console.WriteLine(csb.ConnectionString); // certificatefile=file.pfx
Console.WriteLine(csb.CertificateFile); // file.pfx
Console.WriteLine(csb.SslCa); // file.pfx

MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
	SslCa = "ca.pem",
	CertificateFile = "file.pfx",
};

Console.WriteLine(csb.ConnectionString); // certificatefile=file.pfx
Console.WriteLine(csb.CertificateFile); // file.pfx
Console.WriteLine(csb.SslCa); // file.pfx

Suggested fix:
SslCa should become an independent option, and SslCert and CertificateFile should become aliases (because you never need to specify BOTH a PFX and a PEM file for the client).

This would allow the following combinations in the connection string:

1) CertificateFile=client.pfx <-- existing PFX syntax
2) SslCert=client-cert.pem;SslKey=client-key.pem;SslCa=server-ca.pem <-- new PEM syntax
3) CertificateFile=client.pfx;SslCa=server-ca.pem <-- new! PFX with server CA verification

Option 2 could also be written as CertificateFile=client-cert.pem;SslKey=client-key.pem;SslCa=server-ca.pem

This change would be backwards compatible with the examples shown at https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pem.html and https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pfx.html, but would add the ability to specify the server CA when using a PFX file.
[27 May 2019 7:33] MySQL Verification Team
Hello Bradley,

Thank you for the report and test case.
Observed with VS 2019 (C#.Net) and Connector/NET 8.0.16 version.

regards,
Umesh