Steve Chambers Steve Chambers - 1 month ago 6
Java Question

How to make an SSL connection to MySQL using MariaDB Connector/J?

I'm using MySQL 5.7.10 with SSL enabled and certificates generated as per these instructions. My Java 7 application uses a MariaDB Connector/J and SSL is enabled in the JDBC URL:

jdbc:mysql://dbservername:3306/dbname?useSSL=true&trustServerCertificate=false


But the connection fails with:

Caused by: java.lang.RuntimeException: Could not generate DH keypair
...
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of
64, and can only range from 512 to 1024 (inclusive)


According to this blog post, the problem could be resolved by:


  1. Upgrading to Java 8 (or higher).

  2. Downgrading to MySQL 5.7.5 (or lower).

  3. Excluding Diffie-Hellman (DH) ciphers.



(1) isn't an option on the project I'm working on. (2) seems restrictive and would prevent access to future MySQL improvements. (3) seems the most promising: I've verified it does work with MySQL connector/J but unfortunately its GPL license prevents me from being able to use it on my project.

Does MariaDB Connector/J have an equivalent property to
enabledSSLCipherSuites
or is there any other way to prevent it from using DH ciphers when connecting?

Answer

The requested feature options have now been implemented in MariaDB Connector/J version 1.5.0-RC:

enabledSslProtocolSuites Force TLS/SSL protocol to a specific set of TLS versions (comma separated list). Example : "TLSv1, TLSv1.1, TLSv1.2" Default: TLSv1, TLSv1.1. Since 1.5.0

enabledSslCipherSuites Force TLS/SSL cipher (comma separated list). Example : "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384" Default: use JRE ciphers. Since 1.5.0

(See the comments below the question, the release notes and this Jira ticket.)

Comments