WARNING: Establishing SSL connection without server’s identity verification is not recommended

WARNING: Establishing SSL connection without server’s identity verification is not recommended

This warning message indicates that SSL (Secure Sockets Layer) connections are being established without verifying the server’s identity. This practice is not recommended for security reasons, especially in newer versions of MySQL (5.5.45+, 5.6.26+, and 5.7.6+), where SSL connections are expected to be established by default unless explicitly disabled.
Let’s understand with an example:
In below code we explicitly set useSSL=false in the JDBC URL to disable SSL for the MySQL connection.

// JDBC URL without SSL
String url = "jdbc:mysql://server_name:3306/database_name?useSSL=false";
// Connection properties
Properties props = new Properties();
props.setProperty("userName", "username");
props.setProperty("password", "password");

// Establishing connection
try (Connection conn = DriverManager.getConnection(url, props)) {
    // Connection established successfully
} catch (SQLException e) {
    // Handle connection failure
    e.printStackTrace();
}

In this example, we set useSSL=true in the JDBC URL to enable SSL for the MySQL connection. Additionally, we provide the path to the truststore file (trustStore) and the password for the truststore (trustStorePassword). This allows the MySQL client to verify the server’s certificate against the certificates stored in the truststore.

// JDBC URL with SSL and truststore configuration
String url = "jdbc:mysql://server_name:3306/database_name?useSSL=true&trustStore=/path/to/truststore&trustStorePassword=truststore_password";
// Connection properties
Properties props = new Properties();
props.setProperty("userName", "username");
props.setProperty("password", "password");

// Establishing connection
try (Connection conn = DriverManager.getConnection(url, props)) {
    // Connection established successfully
} catch (SQLException e) {
    // Handle connection failure
    e.printStackTrace();
}

It depends on the use cases whether you want to enable or disable the SSL. However, to address this issue, you have a couple of solutions:

  1. Explicitly disable SSL by setting useSSL=false if SSL is not required for your application.
  2. Set useSSL=true and provide a truststore for server certificate verification if SSL is required for your application’s security needs.

Additionally, the warning mentions that the verifyServerCertificate property is set to 'false' for compliance with existing applications not using SSL. However, it’s important to understand the security implications of this setting and adjust it accordingly based on your application’s requirements and security policies.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *