4

I am trying to connect to mysql with JDBC. I generated keys as follows on my Windows 10:

winpty openssl pkcs12 -export -inkey ssl_cert/client-key.pem -in ssl_cert/client-cert.pem -out client.packet

keytool -importkeystore -deststorepass <password> -destkeypass <password> -destkeystore mysqldb.jks -srckeystore client.packet -srcstoretype PKCS12 -srcstorepass <password> -alias 1 

keytool -importcert -alias mysqlCA -trustcacerts -file ssl_cert/ca.pem -keystore mysqldb.jks

My JDBC code looks like this :

System.setProperty("javax.net.ssl.trustStore", "ks-production-mysqldb.jks");
            System.setProperty("javax.net.ssl.trustStorePassword", "<password> ");
            System.setProperty("javax.net.ssl.trustStoreType", "JKS");

            System.setProperty("javax.net.ssl.keyStore", "mysqldb.jks");
            System.setProperty("javax.net.ssl.keyStorePassword", "<password> ");
            System.setProperty("javax.net.ssl.keyStoreType", "JKS");

            String dbURL = "jdbc:mysql://localhost:1234/sb?"
            + "verifyServerCertificate=true&useSSL=true&requireSSL=true";
conn = DriverManager.getConnection(dbURL, dbUser, dbPass);

I am getting following error :

Caused by: javax.net.ssl.SSLException: Unsupported record version Unknown-0.0 at sun.security.ssl.InputRecord.checkRecordVersion(InputRecord.java:552) at sun.security.ssl.InputRecord.readV3Record(InputRecord.java:565) at sun.security.ssl.InputRecord.read(InputRecord.java:529) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at org.mariadb.jdbc.internal.mysql.MySQLProtocol.connect(MySQLProtocol.java:444) ... 7 more

I googled for this and found out that it may be due to difference in SSL protocol between server and java, which they say must have been solved java 7 or greater. But still I am getting error ? What am I missing?

Port forwarding before connection to localhost:1234:

try {
        JSch jsch = new JSch();
        jsch.addIdentity(privateKey);
        logger.info("Establishing connection to " + sshHost + " by user " + sshUser);
        session = jsch.getSession(sshUser, sshHost, 22);
        java.util.Properties config = new java.util.Properties();
        config.put("StrictHostKeyChecking", "no");
        session.setConfig(config);
        session.connect();
        int assignedPort = session.setPortForwardingL(localPort, remoteHost, remotePort);
        logger.info("assigned Port = " + assignedPort);
    } catch (JSchException e) {
        e.printStackTrace();
        throw new RuntimeException(e);
    }
    return session;

openssl command output :

 $ openssl s_client -connect localhost:1234
CONNECTED(00000003)
140108247099296:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1519473350
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Eugène Adell
  • 3,089
  • 2
  • 18
  • 34
vikas
  • 1,318
  • 4
  • 16
  • 33
  • Are you sure MySQL is listening on port 1234 with SSL activated ? Test this server with an openssl command (openssl s_client -connect localhost:1234) to see if a handshake is happening. – Eugène Adell Feb 23 '18 at 13:02
  • I forgot to mention that I had done a port forwarding before trying to establish JDBC connection. Port forwading is working fine as I was able to connect to db earlier when SSL was not imposed using the same code. – vikas Feb 23 '18 at 17:33
  • You didn't test the command I suggested. – Eugène Adell Feb 23 '18 at 20:45
  • I guess you are forwarding "clear" traffic through JSCH which is an SSH software, and you are in localhost from what I see in dbURL. And you believe this is will turn it into SSL by some kind of magic ? From my first comment, I really doubt you have an SSL MySQL listening. – Eugène Adell Feb 23 '18 at 20:46
  • Yes, sorry I could not test your command as SSL was disabled before I checked you answer. However, when I run the command I get following error: (Command output is added to the question summary) Also could you please explain more your previous comment. – vikas Feb 24 '18 at 11:58
  • Between a Java Client using JDBC driver, and a MySQL DB, you don't need any port forwarding. Particularly on a localhost. My question is, why are you using a port forwarding instead of a normal, direct connection ? – Eugène Adell Feb 24 '18 at 20:29
  • Both the SSLException and the openssl output show that you're not talking with an SSL enabled server. You don't have any programming issue for now (though verifyServerCertificate could be set to false to ensure it will work in all case), you have a configuration issue. – Eugène Adell Feb 24 '18 at 20:30
  • I had to do port forwarding as my DB server is in Cloud (Openstak) and I cannot directly connect to it. The way to connect to any instance in cloud is through Openstack jump host which has exposed public IP to connect. So the way to connect was through port forwarding. So I did ssh to Openstack jump host and forwarded port 1234 to the mysql port. So any request I make on localhost (jump host):1234 is going to mysql. – vikas Feb 27 '18 at 14:30
  • why are you using JSCH which is known for its many bugs, instead of more reliable SSH client (openssh on Linux, putty on windows) ? – Eugène Adell Mar 02 '18 at 08:37

3 Answers3

1

There is no solution posted, so for anyone who is facing this issue:

We use MariaDB and have been facing this issue, after trying all things, upgrading mariaDB java client driver version to latest solved the problem. Hope it helps.

A Baldino
  • 178
  • 1
  • 11
0

Upgrade to JDK 8 at least u181. It works for me for a ReST connection showing the same error.

Florian
  • 3,069
  • 1
  • 26
  • 26
0

As other answers adviced I upgraded Java from 1.8.0_121 to 1.8.0_362 and the error changed but I still had an SSL error.

I had to add ?useSSL=false&requireSSL=false to the jdbc URL to disable SSL.

aalku
  • 2,860
  • 2
  • 23
  • 44