MySQL Bugs: #95526: SslCa option should not be an alias of CertificateFile

Bug #95526	SslCa option should not be an alias of CertificateFile
Submitted:	24 May 2019 15:43	Modified:	27 May 2019 7:33
Reporter:	Bradley Grainger (OCA)	Email Updates:
Status:	Verified	Impact on me:	None
Category:	Connector / NET	Severity:	S3 (Non-critical)
Version:	8.0.16	OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
Connector/NET 8.0.16 added a SslCa connection string option for the regular MySQL protocol. This option specifies a CA certificate that should be used to trust the server's certificate. Unfortunately, this new option is aliased with CertificateFile, which is the existing option to specify a client SSL certificate for mutual authentication.

The documentation at https://dev.mysql.com/doc/connector-net/en/connector-net-8-0-connection-options.html says:

> Based on the type of certificates being used, this option either specifies the path to a certificate file in PKCS #12 format (.pfx) or the path to a file in PEM format (.pem) that contains a list of trusted SSL certificate authorities (CA).

This doesn't really make sense. There are two separate concerns here:

1) Specifying a trusted CA, in PEM format.
2) Specifying the client's certificate either as one PFX file or two PEM files.

There's no technological reason why you couldn't specify a PFX file for the client _and_ a CA for the server. However, this is currently impossible because SslCa and CertificateFile are aliases for each other.

How to repeat:
Run the following C# code. You can see that you can't specify both SslCa and CertificateFile at the same time.

MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
	SslCa = "ca.pem",
};

Console.WriteLine(csb.ConnectionString); // certificatefile=ca.pem
Console.WriteLine(csb.CertificateFile); // ca.pem
Console.WriteLine(csb.SslCa); // ca.pem

MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
	CertificateFile = "file.pfx",
};

Console.WriteLine(csb.ConnectionString); // certificatefile=file.pfx
Console.WriteLine(csb.CertificateFile); // file.pfx
Console.WriteLine(csb.SslCa); // file.pfx

MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
	SslCa = "ca.pem",
	CertificateFile = "file.pfx",
};

Console.WriteLine(csb.ConnectionString); // certificatefile=file.pfx
Console.WriteLine(csb.CertificateFile); // file.pfx
Console.WriteLine(csb.SslCa); // file.pfx

Suggested fix:
SslCa should become an independent option, and SslCert and CertificateFile should become aliases (because you never need to specify BOTH a PFX and a PEM file for the client).

This would allow the following combinations in the connection string:

1) CertificateFile=client.pfx <-- existing PFX syntax
2) SslCert=client-cert.pem;SslKey=client-key.pem;SslCa=server-ca.pem <-- new PEM syntax
3) CertificateFile=client.pfx;SslCa=server-ca.pem <-- new! PFX with server CA verification

Option 2 could also be written as CertificateFile=client-cert.pem;SslKey=client-key.pem;SslCa=server-ca.pem

This change would be backwards compatible with the examples shown at https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pem.html and https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pfx.html, but would add the ability to specify the server CA when using a PFX file.

Hello Bradley,

Thank you for the report and test case.
Observed with VS 2019 (C#.Net) and Connector/NET 8.0.16 version.

regards,
Umesh