JDBC参数verifyServerCertificate = false连接,无需clientkeystore和truststore [英] JDBC parameter verifyServerCertificate=false connects without the need for a clientkeystore and truststore
问题描述
我正在尝试使用以下设置来创建与MYSQL服务器的ssl连接。我注意到,当我在jdbc url中指定verifyServerCertificate = false时,Java似乎忽略了我通过System.setProperty指定的密钥库和信任库信息。所以我可以注释掉1)中指定的代码,并且仍然可以成功创建ssl连接。当我指定verifyServerCertificate = true时,它似乎使用1)设置的值。所以我的问题是JDBC如何在verifyServerCertificate = false时创建ssl连接,而不使用客户端密钥库和信任库?谢谢。
I am attempting to use the following setup to create an ssl connection to a MYSQL server. I noticed that when I specify verifyServerCertificate=false in the jdbc url, Java seems to ignore the keystore and truststore information I specified via System.setProperty. So I could comment out the code specified in 1) and the ssl connection will still be created successfully. When I specify verifyServerCertificate=true it seems to use the values set by 1). So my question is how is JDBC able to create an ssl connection when verifyServerCertificate=false, without using a client keystore and truststore? Thanks.
Java代码
1)
System.setProperty("javax.net.ssl.keyStore",(String) keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore",(String) trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",(String) trustStorePassword));
2)
String jdbcURL = "jdbc:mysql://192.11.11.111/database?verifyServerCertificate=false&useSSL=true&requireSSL=true";
3)
Connection con = DriverManager.getConnection(jdbcURL, dbuser, dbpassword);
MYSQL服务器
拨款声明:
4)
'GRANT ALL PRIVILEGES ON *.* TO 'dbuser'@'%' IDENTIFIED BY PASSWORD \'*2343ASDFWETDFGDSFGSDFGSDSDFWERASF\' REQUIRE SSL WITH GRANT OPTION'
编辑到my.cnf文件
edit to my.cnf file
5)
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
其他信息
6)我正在使用我创建的证书颁发机构。
6) I'm am using a certificate authority I created.
7)对查询的回应
show variables like '%ssl%';
have_openssl YES
have_ssl YES
ssl_ca /etc/mysql/certs/ca.pem
ssl_capath
ssl_cert /etc/mysql/certs/server-cert.pem
ssl_cipher
ssl_crl
ssl_crlpath
ssl_key /etc/mysql/certs/server-key.pem
推荐答案
在没有客户端验证服务器证书链的情况下,Java绝对可以建立SSL连接。
Java can definitely establish an SSL connection without a client validating the certificate chain of the server.
建立连接的类(javax.net.ssl类)通常会怀疑未经验证的服务器证书,并且会使握手失败。
The classes that are establishing the connection (javax.net.ssl classes) would normally treat the unverified server certificate with suspicion and would fail the handshake.
但它们为这些类的用户提供了一种方法,实际上说如果服务器的证书没有验证就可以了,继续建立连接。
But they provide a way for the user's of those classes to in effect say "It's ok if the server's certificate doesn't validate, go ahead and establish the connection".
当你说verifyServerCertificate = false时就会发生这种情况。
That is what's happening when you say verifyServerCertificate=false.
SSL连接完全有效,来自加密透视,但它不是经过身份验证的连接,因为您不知道服务器证书的来源是什么。
The SSL connection is perfectly valid from a cryptographic perspective but it is not an authenticated connection because you have no idea what the source of the server certificate is.
这篇关于JDBC参数verifyServerCertificate = false连接,无需clientkeystore和truststore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
