Bug #99767 Contribution: Check SubjectAlternativeName for TLS instead of commonName
Submitted: 3 Jun 2020 13:50 Modified: 5 Oct 2020 18:52
Reporter: OCA Admin (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / J Severity:S3 (Non-critical)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[3 Jun 2020 13:50] OCA Admin 
Description:
This bug tracks a contribution by Daniël van Eeden (Github user: dveeden) as described in http://github.com/mysql/mysql-connector-j/pull/49

How to repeat:
See description

Suggested fix:
See contribution code attached
[3 Jun 2020 13:50] OCA Admin 
Contribution submitted via Github - Check SubjectAlternativeName for TLS instead of commonName 
(*) Contribution by Daniël van Eeden (Github dveeden, mysql-connector-j/pull/49#issuecomment-637848978): I confirm the code being submitted is offered under the terms of the OCA, 
and that I am authorized to contribute it.

On June 2, 2020 23:50:26 mysql-oca-bot <notifications@github.com> wrote:
>
> Hi, thank you for your contribution. Please confirm this code is submitted 
> under the terms of the OCA (Oracle''s Contribution Agreement) you have 
> previously signed by cutting and pasting the following text as a comment:
> "I confirm the code being submitted is offered under the terms of the OCA, 
> and that I am authorized to contribute it."
> Thanks—
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub, or unsubscribe.

Contribution: git_patch_426796717.txt (text/plain), 6.51 KiB.
[4 Jun 2020 5:10] MySQL Verification Team 
Hello Daniël,

Thank you for the report and contribution.

regards,
Umesh
[5 Oct 2020 18:52] Daniel So 
Posted by developer:
 
Added the following entry to the Connector/J 8.0.22 changelog: 

"When the connection option sslMode is set to VERIFY_IDENTITY, Connector/J now validates the host name in the connection string against the host names or IP addresses provided under the Subject Alternative Name (SAN) extension in the server's X.509 certificate. Also, verification against the Common Name (CN) is now performed when a SAN is not provided in the certificate or if it does not contain any DNS name or IP address entries. Host names listed in the certificate, under either the SAN or the CN, can contain a wildcard character as specified in the RFC 6125 standard. Thanks to Daniël van Eeden for contributing to the patch"
[20 Oct 2020 6:55] Frederic Descamps 
Thank you Daniël for your contribution that has been added to 8.0.22: https://lefred.be/content/mysql-8-0-22-thank-you-for-the-contributions/