 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Databases / June 2004JDBC + SSL = "No trusted certificate found"
Hi, I'm trying to get JDBC to connect to a MySQL database using SSL. The MySQL server has been propertly compiled and configured, and I can connect to it with the regular client using SSL, but I can't get a simple test client written in Java to work. The error I'm getting is "No trusted certificate found", but I have imported the CA cert I used to sign the MySQL server key into a truststore and I'm using that truststore in my code. The relevant steps look like this: # CA cert created like so: $ openssl req -new -x509 -keyout cakey.pem -out cacert.pem # MySQL server certificate verified like so: $ openssl verify -CAfile cacert.pem server-cert.pem server-cert.pem: OK # truststore created like so: $ keytool -import -file cacert.pem -alias mysqlServerCACert -keystore truststore /* java code looks like this: */ System.setProperty("javax.net.debug", "all"); System.setProperty("javax.net.ssl.trustStore", "/home/lukem/src/ssl/truststore"); System.setProperty("javax.net.ssl.trustStorePassword", "password"); During execution, the debug information shows that it's using the expected truststore and that it's adding my certificate: ... trustStore is: /home/lukem/src/ssl/truststore ... adding as trusted cert: Subject: CN=lewzealand, OU=bioinfo, O=Uni, L=Sask, ST=Sask, C=CA ... But I still get the "No trusted certificate found" error. Any idea what the problem might be? Thanks, Luke >But I still get the "No trusted certificate found" error. Any idea what >the problem might be? Thanks, Is not MySQL written in C? If so getting the cert imported into a Java-only cert repository isn't going to help. MySQL must be looking in its own cert repository or perhaps some OS-dependent one. This gets pretty confusing. Every browser and tool potentially has its own repository. I am not talking from experience with MySQL and SSL, but from experience with code signing certs.  SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. >>But I still get the "No trusted certificate found" error. Any idea what >>the problem might be? Thanks, > > Is not MySQL written in C? If so getting the cert imported into a > Java-only cert repository isn't going to help. MySQL must be looking > in its own cert repository or perhaps some OS-dependent one. The MySQL client is perfectly capable of talking to the MySQL server. That part of the configuration is not the issue. The issue is getting Java to talk to the MySQL server. This must require getting the certificate in to the Java truststore. I thought that was pretty clear in my original post, but just to clarify: I'm trying to get a Java program to talk to the MySQL server using SSL. Cheers, Luke >I thought that was pretty clear in my original post, but just to clarify: >I'm trying to get a Java program to talk to the MySQL server using SSL. But I'm not completely convinced Java is involved. This might be an internal MySQL matter communication between its JDBC driver (which might be native) and the server. If the MySQL JDBC driver in your client is pure Java, then sounds like you are correct, and you need to get your SSL cert into the correct cacerts file. See http://mindprod.com/jgloss/cacerts.html for how to figure out which is the "right" one, and http://mindprod.com/jgloss/keytool.html to check if you succeeded. What makes me suspicious is you can use the mySQL client debug tool without any Java for miles around and connect to a remote database. That implies MySQL might have its own means of validating SSL certs. You are obviously more familiar with SSL than I am. I am just tossing out a possibility to explore. SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. >>I thought that was pretty clear in my original post, but just to clarify: >>I'm trying to get a Java program to talk to the MySQL server using SSL. > > But I'm not completely convinced Java is involved. This might be an > internal MySQL matter communication between its JDBC driver (which > might be native) and the server. The JDBC driver for MySQL is 100% pure Java, and to get SSL working requires the Java truststore to be setup correctly. I don't see anything 'out of the ordinary' with how you've setup your truststore. Have you generated a _client_ cert as well? (MySQL's SSL requires a client cert as well): http://dev.mysql.com/doc/connector/j/en/index.html#id2804280 -Mark SignatureMr. Mark Matthews MySQL AB, Software Development Manager, J2EE and Windows Platforms Office: +1 708 332 0507 www.mysql.com MySQL Guide to Lower TCO http://www.mysql.com/it-resources/white-papers/tco.php > Have you generated a _client_ cert as well? (MySQL's SSL requires a > client cert as well): > > http://dev.mysql.com/doc/connector/j/en/index.html#id2804280 I have. But as the error is the same whether or not I use the keystore containing the client certificate, I think the problem is at an earlier stage... Cheers, Luke > Have you generated a _client_ cert as well? (MySQL's SSL requires a > client cert as well): > > http://dev.mysql.com/doc/connector/j/en/index.html#id2804280 This appears not, in fact, to be true. At least not with current versions of MySQL and MySQL Connector/J. It is possible to connect to a mysql server using SSL without having a client certificate at all. This is true whether you user JDBC or the mysql command-line client. Cheers, Luke > ... > adding as trusted cert: > Subject: CN=lewzealand, OU=bioinfo, O=Uni, L=Sask, ST=Sask, C=CA > ... Convinced that there was no problem on the Java side, I set up my own SSL-enabled mysql server at home where I could manipulate the configuration to try and further explore this problem. As soon as I did, the problem went away. After some experimentation, it appears the problem was this: The common name in the SQL certificate must be a fully-qualified domain name, or Java doesn't recognize the match. It's not good enough if a simple name (e.g.: myserver) is used in both the certificate and the JDBC connection statement, even if that name resolves. As soon as an equivalent fully-qualified domain name (e.g.: myserver.example.com) is used in the certificate and the connection statement, everything just works. The reason I'm following up here is that this appears to be somewhat Java-specific, as mysql itself doesn't care whether a host name is fully-qualified or not. Cheers, Luke >> ... >> adding as trusted cert: [quoted text clipped - 22 lines] > > Luke Luke, Mind if I add that tidbit to our docs? -Mark SignatureMr. Mark Matthews MySQL AB, Software Development Manager, J2EE and Windows Platforms Office: +1 708 332 0507 www.mysql.com MySQL Guide to Lower TCO http://www.mysql.com/it-resources/white-papers/tco.php > Mind if I add that tidbit to our docs? Not at all. Cheers, Luke >> Mind if I add that tidbit to our docs? > >Not at all. Cheers, I have always just done that as a matter of course without permission. I assumed anything in the newsgroups was public domain. I can see doing it as a courtesy, but do you legally need permission? SignatureCanadian Mind Products, Roedy Green. Coaching, problem solving, economical contract programming. See http://mindprod.com/jgloss/jgloss.html for The Java Glossary. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.