This is a read-only copy of the MariaDB Knowledgebase generated on 2024-11-15. For the latest, interactive version please visit https://mariadb.com/kb/.

MariaDB SSL connection with Connector/J Setup help

I just installed MariaDB 10.1.11 on Centos 7 and enabled SSL connections. I created the root CA, Server Cert/Key, & Client Cert/Key as spelled out in the instructions from this link http://xmodulo.com/enable-ssl-mysql-server-client.html (used -sha256 instead of -sha1)

I added the variables in the [mysqld] section of the server.cnf file and restarted MariaDB I created a user and granted them privilages with a "require x509" suffix.

I have 2 users created (nossluser, ssluser) grant all on *.* to nossluser; grant all on *.* to ssluser require X509;

I can login from the command line using MySQL without any problems

MySQL -u nossluser -p <--- works fine with the user that has no ssl requirement

MySQL -u ssluser -p --ssl-cert client-cert.pem --ssl-key client-key.pem --ssl-ca ca-cert.pem <-- this works fine

I can also connect from a remote client using MySQL workbench using the same ca-cert.pem, client-cert.pem, client-key.pem as I used on the command line.

My problem is when I try to create a java client connection using the Mariadb connector/j I have tried issuing the connection using the useSSL=true, requireSSL=true, serverSslCert=server-cert.pem but it does not work. I get the: "Could not connect: Access denied for user 'ssluser'@192.168.1.9' (using password: YES)" error message

I also enabled java.net.debug and I get a message in the log that says: "Warning:no suitable certificate found - continuing without client authentication"

Now if I change the user to "require ssl" instead of "require x509" The connection works, but I still see the java net debug warning no suitable certificate found which I assume means that the SSL connection did not work but it allowed the connection anyway.

Any Ideas on the correct connection settings for the connector/j

Thanks,

Willie

Answer Answered by Diego Dupin in this comment.

Hi,

You are using the good options. Like you must have seen in documentation, serverSslCert can be used in one of 3 forms :

  • sslServerCert=/path/to/cert.pem (full path to certificate)
  • sslServerCert=classpath:relative/cert.pem (relative to current classpath)
  • or as verbatim DER-encoded certificate string "------BEGING CERTIFICATE-----" .

So that remain 2 possible problems : - 256-bit encryption which is not supported by Java out of the box. You need to install JCE (Java Cryptography Extension). Is it installed ? - Have you try to defined the full path of certificate : sslServerCert=/path/to/cert.pem

Since 1.3.4, you can store certificate in JKS keystore using trustCertificateKeyStoreUrl options. That may be a better solution than to have certificate on server.

Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.