java JDBC 参数 verifyServerCertificate=false 无需客户端密钥库和信任库即可连接
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33700647/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
JDBC parameter verifyServerCertificate=false connects without the need for a clientkeystore and truststore
提问by user3817170
I am attempting to use the following setup to create an ssl connection to a MYSQL server. I noticed that when I specify verifyServerCertificate=false in the jdbc url, Java seems to ignore the keystore and truststore information I specified via System.setProperty. So I could comment out the code specified in 1) and the ssl connection will still be created successfully. When I specify verifyServerCertificate=true it seems to use the values set by 1). So my question is how is JDBC able to create an ssl connection when verifyServerCertificate=false, without using a client keystore and truststore? Thanks.
我正在尝试使用以下设置来创建到 MYSQL 服务器的 ssl 连接。我注意到当我在 jdbc url 中指定 verifyServerCertificate=false 时,Java 似乎忽略了我通过 System.setProperty 指定的密钥库和信任库信息。所以我可以注释掉1)中指定的代码,并且仍然会成功创建ssl连接。当我指定 verifyServerCertificate=true 时,它似乎使用由 1 设置的值)。所以我的问题是 JDBC 如何在 verifyServerCertificate=false 时创建 ssl 连接,而不使用客户端密钥库和信任库?谢谢。
Java Code
Java代码
1)
1)
System.setProperty("javax.net.ssl.keyStore",(String) keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore",(String) trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",(String) trustStorePassword));
2)
2)
String jdbcURL = "jdbc:mysql://192.11.11.111/database?verifyServerCertificate=false&useSSL=true&requireSSL=true";
3)
3)
Connection con = DriverManager.getConnection(jdbcURL, dbuser, dbpassword);
MYSQL Server
MYSQL服务器
Grant statement:
资助声明:
4)
4)
'GRANT ALL PRIVILEGES ON *.* TO 'dbuser'@'%' IDENTIFIED BY PASSWORD \'*2343ASDFWETDFGDSFGSDFGSDSDFWERASF\' REQUIRE SSL WITH GRANT OPTION'
edit to my.cnf file
编辑到 my.cnf 文件
5)
5)
[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
Additional Information
附加信息
6) I'm am using a certificate authority I created.
6) 我正在使用我创建的证书颁发机构。
7) Response to query
7) 响应查询
show variables like '%ssl%';
have_openssl YES
have_ssl YES
ssl_ca /etc/mysql/certs/ca.pem
ssl_capath
ssl_cert /etc/mysql/certs/server-cert.pem
ssl_cipher
ssl_crl
ssl_crlpath
ssl_key /etc/mysql/certs/server-key.pem
回答by JJF
Java can definitely establish an SSL connection without a client validating the certificate chain of the server.
Java 绝对可以建立 SSL 连接,而无需客户端验证服务器的证书链。
The classes that are establishing the connection (javax.net.ssl classes) would normally treat the unverified server certificate with suspicion and would fail the handshake.
建立连接的类(javax.net.ssl 类)通常会怀疑未经验证的服务器证书,并且握手失败。
But they provide a way for the user's of those classes to in effect say "It's ok if the server's certificate doesn't validate, go ahead and establish the connection".
但是它们为这些类的用户提供了一种方法,实际上可以说“如果服务器的证书没有验证,那就可以了,继续建立连接”。
That is what's happening when you say verifyServerCertificate=false.
当您说 verifyServerCertificate=false 时,就会发生这种情况。
The SSL connection is perfectly valid from a cryptographic perspective but it is not an authenticated connection because you have no idea what the source of the server certificate is.
从加密的角度来看,SSL 连接是完全有效的,但它不是经过身份验证的连接,因为您不知道服务器证书的来源是什么。
![java 如何在java中提取sftp url sftp://<user>@<host>[:<port>][/<directory>]](/res/img/loading.gif)