Description:
Connector/NET 8.0.16 added a SslCa connection string option for the regular MySQL protocol. This option specifies a CA certificate that should be used to trust the server's certificate. Unfortunately, this new option is aliased with CertificateFile, which is the existing option to specify a client SSL certificate for mutual authentication.
The documentation at https://dev.mysql.com/doc/connector-net/en/connector-net-8-0-connection-options.html says:
> Based on the type of certificates being used, this option either specifies the path to a certificate file in PKCS #12 format (.pfx) or the path to a file in PEM format (.pem) that contains a list of trusted SSL certificate authorities (CA).
This doesn't really make sense. There are two separate concerns here:
1) Specifying a trusted CA, in PEM format.
2) Specifying the client's certificate either as one PFX file or two PEM files.
There's no technological reason why you couldn't specify a PFX file for the client _and_ a CA for the server. However, this is currently impossible because SslCa and CertificateFile are aliases for each other.
How to repeat:
Run the following C# code. You can see that you can't specify both SslCa and CertificateFile at the same time.
MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
SslCa = "ca.pem",
};
Console.WriteLine(csb.ConnectionString); // certificatefile=ca.pem
Console.WriteLine(csb.CertificateFile); // ca.pem
Console.WriteLine(csb.SslCa); // ca.pem
MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
CertificateFile = "file.pfx",
};
Console.WriteLine(csb.ConnectionString); // certificatefile=file.pfx
Console.WriteLine(csb.CertificateFile); // file.pfx
Console.WriteLine(csb.SslCa); // file.pfx
MySqlConnectionStringBuilder csb = new MySqlConnectionStringBuilder
{
SslCa = "ca.pem",
CertificateFile = "file.pfx",
};
Console.WriteLine(csb.ConnectionString); // certificatefile=file.pfx
Console.WriteLine(csb.CertificateFile); // file.pfx
Console.WriteLine(csb.SslCa); // file.pfx
Suggested fix:
SslCa should become an independent option, and SslCert and CertificateFile should become aliases (because you never need to specify BOTH a PFX and a PEM file for the client).
This would allow the following combinations in the connection string:
1) CertificateFile=client.pfx <-- existing PFX syntax
2) SslCert=client-cert.pem;SslKey=client-key.pem;SslCa=server-ca.pem <-- new PEM syntax
3) CertificateFile=client.pfx;SslCa=server-ca.pem <-- new! PFX with server CA verification
Option 2 could also be written as CertificateFile=client-cert.pem;SslKey=client-key.pem;SslCa=server-ca.pem
This change would be backwards compatible with the examples shown at https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pem.html and https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-ssl-pfx.html, but would add the ability to specify the server CA when using a PFX file.