Details

    • Type: Task Task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: jdbc-1.1.2
    • Fix Version/s: jdbc-1.1.3
    • Labels:
    • Global Rank:
      3229

      Description

      Currently the MariaDB Java Client JDBC driver has two validation modes for server certificates. It can either use:
      1) The default JVM key store. This is the default option.
      2) It can accept all remote certificates without validation. This is done by setting the "trustServerCertificate" property to a non-null value.

      When using self-signed certificates for the server neither of these is acceptable. Option #1 will not validate as the certificate is not signed by a trusted certificate authority. Option #2 is inherently insecure and is susceptible to a man in the middle attack.

      The JDBC driver should allow users to validate the server against a predefined server certificate.

        Activity

        Hide
        Sehrope Sarkuni added a comment -

        I've created a patch for the MariaDB JDBC driver to add the ability to validate against self-signed SSL certificates. Specifically it allows users to specify the SSL certificate they are expecting from the server and only allow the connection to be created if the server matches it. This is the best protection against man in the middle attacks and given the rise of cloud based database deployments I think this would be a great addition to the driver.

        The patch allows users to specify an SSLSocketFactory by including the class name as new connection parameter ("sslFactory"). The code structure mimics how the PostgreSQL JDBC driver works to delegate creation of an SSLSocketFactory though rather than passing an additional String value as an argument this version accepts the entire connection java.util.Properties. I figure it's cleaner (less explicit properties defined) and more extensible this way.

        The patch also includes an implementation of SSLSocketFactory (called SingleCertSocketFactory) that validates against an predefined SSL certificate. This allows secure connections to servers secured with self-signed certificates.

        The patch should be backwards compatible for existing clients as nothing changes if the new property is not used. The code path when SSL is enabled is slightly different but it still creates the same type of default SSLSocketFactory and also handles the "trustServerCertificate" property the same as before (eg. accept all certificates).

        Here is an example usage of it:

        // This String has the server's certificate received through some other secure channel:
        String serverSslCert = "----BEGIN CERTIFICATE---- ... [ Server's Certificate Goes Here] ...."

        Properties info = new Properties();
        info.setProperty("user", "mysql_user");
        info.setProperty("password", "mysql_pass");
        info.setProperty("sslFactory", "org.mariadb.jdbc.ssl.SingleCertSocketFactory");
        info.setProperty("serverSslCert", serverSslCert);

        Connection conn = DriverManager.getConnection(jdbcUrl, info);

        Show
        Sehrope Sarkuni added a comment - I've created a patch for the MariaDB JDBC driver to add the ability to validate against self-signed SSL certificates. Specifically it allows users to specify the SSL certificate they are expecting from the server and only allow the connection to be created if the server matches it. This is the best protection against man in the middle attacks and given the rise of cloud based database deployments I think this would be a great addition to the driver. The patch allows users to specify an SSLSocketFactory by including the class name as new connection parameter ("sslFactory"). The code structure mimics how the PostgreSQL JDBC driver works to delegate creation of an SSLSocketFactory though rather than passing an additional String value as an argument this version accepts the entire connection java.util.Properties. I figure it's cleaner (less explicit properties defined) and more extensible this way. The patch also includes an implementation of SSLSocketFactory (called SingleCertSocketFactory) that validates against an predefined SSL certificate. This allows secure connections to servers secured with self-signed certificates. The patch should be backwards compatible for existing clients as nothing changes if the new property is not used. The code path when SSL is enabled is slightly different but it still creates the same type of default SSLSocketFactory and also handles the "trustServerCertificate" property the same as before (eg. accept all certificates). Here is an example usage of it: // This String has the server's certificate received through some other secure channel: String serverSslCert = "---- BEGIN CERTIFICATE ---- ... [ Server's Certificate Goes Here] ...." Properties info = new Properties(); info.setProperty("user", "mysql_user"); info.setProperty("password", "mysql_pass"); info.setProperty("sslFactory", "org.mariadb.jdbc.ssl.SingleCertSocketFactory"); info.setProperty("serverSslCert", serverSslCert); Connection conn = DriverManager.getConnection(jdbcUrl, info);
        Hide
        Vladislav Vaintroub added a comment -

        Thanks a lot for the patch!

        I fixed the bug, slightly differently from your patch. I used the parts of it, except factories boilerplate thing (this also kept the patch somewhat smaller).
        The single URL/Property parameter added is serverSslCert, which can be either /full/path, or classpath:relative/path , or DER-string, that starts with ----BEGIN CERTIFICATE----
        (this serverSslCert can very well be the server's CA certificate)

        Show
        Vladislav Vaintroub added a comment - Thanks a lot for the patch! I fixed the bug, slightly differently from your patch. I used the parts of it, except factories boilerplate thing (this also kept the patch somewhat smaller). The single URL/Property parameter added is serverSslCert, which can be either /full/path, or classpath:relative/path , or DER-string, that starts with ---- BEGIN CERTIFICATE ---- (this serverSslCert can very well be the server's CA certificate)

          People

          • Assignee:
            Vladislav Vaintroub
            Reporter:
            Sehrope Sarkuni
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 2 days
              2d