[QUESTION] Why is the trustStoreType=Windows-ROOT connection string parameter required?

[rgl]

Question

Why is the trustStoreType=Windows-ROOT (to make it use the Windows certificate trust store) connection string parameter required?

With com.microsoft.sqlserver:mssql-jdbc:12.2.0.jre11 the following connection string and jvm invocation successfully work:

# connection string: jdbc:sqlserver://MSSQL:1433;database=master;user=alice.doe;password=my-password;encrypt=strict
# jvm invocation:
java `
    "-Djava.library.path=$jdbcAuthPath\x64" `
    -Djavax.net.ssl.trustStoreType=Windows-ROOT `
    -jar build/libs/example-1.0.0-all.jar

But in com.microsoft.sqlserver:mssql-jdbc:12.4.2.jre11 (or above) it fails with:

Exception in thread "main" com.microsoft.sqlserver.jdbc.SQLServerException: "encrypt" property is set to "strict" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Unless I add ;trustStoreType=Windows-ROOT to the connection string (like I did in my example).

Why do I need to do that? Shouldn't the driver try to populate it from the javax.net.ssl.trustStoreType system property?

[Ananya2]

@rgl Thanks for reaching out! There haven't been any code changes related to trustStoreType between v12.2.0.jre11 and v12.4.2.jre11. Could you please check again and confirm if you're still able to reproduce the issue?

[rgl]

I was able to reproduce the issue days ago in my example. As you can see, the only difference is adding ;trustStoreType=Windows-ROOT to the connection string that is used by the java code.