[CONJ-422] add documentation and better error description

mariadb-corporation · Jun 28, 2017 · 3d0b8c3 · 3d0b8c3
1 parent 9a1f375
commit 3d0b8c3
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 3 deletions.
diff --git a/documentation/changelog.creole b/documentation/changelog.creole
@@ -1,4 +1,5 @@
 = Changelog
+* [[https://github.com/MariaDB/mariadb-connector-j/documentation/changelog.creole#210|2.1.0]] Not released
 * [[https://github.com/MariaDB/mariadb-connector-j/documentation/changelog.creole#202|2.0.2]] Released on 05 Jun. 2017
 * [[https://github.com/MariaDB/mariadb-connector-j/documentation/changelog.creole#161|1.6.1]] Released on 05 Jun. 2017
 * [[https://github.com/MariaDB/mariadb-connector-j/documentation/changelog.creole#201|2.0.1]] Released on 10 May  2017
@@ -23,6 +24,17 @@
 * [[https://github.com/MariaDB/mariadb-connector-j/documentation/changelog.creole#140|1.4.0]] Released on 31 march 2016
 
 ---
+== 2.1.0
+
+=== CONJ-422 : verification of SSL Certificate Name Mismatch
+When using ssl, driver check hostname against the server's identity as presented in the server's Certificate (checking alternative names or certificate CN) to prevent man-in-the-middle attack.
+
+A new option "disableSslHostnameVerification" permit to deactivate this validation.
+|=disableSslHostnameVerification| When using ssl, driver check hostname against the server's identity as presented in the server's Certificate (checking alternative names or certificate CN) to prevent man-in-the-middle attack. This option permit to deactivate this validation.\\//Default: false. Since 2.1.0//
+
+
+
+
 == 1.6.1
 report of 2.0.2 corrections for jre 1.7 compatible version.
 

diff --git a/documentation/use-mariadb-connector-j-driver.creole b/documentation/use-mariadb-connector-j-driver.creole
@@ -152,6 +152,7 @@ The following options are currently supported.
 |=useBatchMultiSendNumber| When option useBatchMultiSend is active, indicate the maximum query send in a row before reading results.\\//Default: 100. Since 1.5.0//|
 |=connectionAttributes| When performance_schema is active, permit to send server some client information in a key;value pair format (example: connectionAttributes=key1:value1,key2,value2).\\Those informations can be retrieved on server within tables performance_schema.session_connect_attrs and performance_schema.session_account_connect_attrs.\\This can permit from server an identification of client/application\\//Since 1.4.0//|
 |=continueBatchOnError| When executing batch queries, must batch continue on error and throw exception when ended, or stop immediately \\//Default: true. Since 1.4.0//
+|=disableSslHostnameVerification| When using ssl, driver check hostname against the server's identity as presented in the server's Certificate (checking alternative names or certificate CN) to prevent man-in-the-middle attack. This option permit to deactivate this validation.\\//Default: false. Since 2.1.0//
 
 
 \\\\

diff --git a/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractConnectProtocol.java b/src/main/java/org/mariadb/jdbc/internal/protocol/AbstractConnectProtocol.java
@@ -707,7 +707,9 @@ private void handleConnectionPhases(String host) throws SQLException {
                             X509Certificate cert = (X509Certificate) certs[0];
                             hostnameVerifier.verify(host, cert);
                         } catch (SSLException ex) {
-                            throw new SQLNonTransientConnectionException(ex.getMessage(), "08006");
+                            throw new SQLNonTransientConnectionException(ex.getMessage()
+                                    + "\nThis verification can be disable using the option \"disableSslHostnameVerification\" "
+                                    + "but won't prevent man-in-the-middle attacks anymore", "08006");
                         }
                     }
                 }

diff --git a/src/main/java/org/mariadb/jdbc/internal/util/DefaultOptions.java b/src/main/java/org/mariadb/jdbc/internal/util/DefaultOptions.java
@@ -445,8 +445,8 @@ public enum DefaultOptions {
     ENABLE_PACKET_DEBUG("enablePacketDebug", Boolean.FALSE, "1.6.0"),
 
     /**
-     * Since 2.1.0, the client check hostname against the server's identity as presented in the server's Certificate
-     * message, in order to prevent man-in-the-middle attack.
+     * When using ssl, driver check hostname against the server's identity as presented in the server's Certificate
+     * (checking alternative names or certificate CN) to prevent man-in-the-middle attack.
      *
      * This option permit to deactivate this validation.
      */