我试图连接到我在luther:3306收听的MySQL实例。我跟着these instructions关于如何在Ubuntu上为MySQL实例设置SSL,它运行良好。当我提供用户名,密码,SSL密钥,SSL证书和SSL CA时,我可以通过GUI(MySQL Workbench)与用户luther:3306连接ford没问题。
现在,我尝试通过Java应用程序进行连接,并且我在向Java提供正确的证书方面遇到了问题。这是代码:
System.setProperty("javax.net.ssl.keyStore","C:/Program Files/Java/jre1.8.0_45/bin/cacerts");
System.setProperty("javax.net.ssl.keyStorePassword","changeit");
System.setProperty("javax.net.ssl.trustStore","C:/Program Files/Java/jre1.8.0_45/bin/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
System.setProperty("javax.net.debug", "SSL");
// Create the DB connection
try {
String connectionUrl = "jdbc:mysql://luther/ford";
Properties dbProps = new Properties();
dbProps.setProperty("user", "ford");
dbProps.setProperty("password", "<password>");
dbProps.setProperty("useSSL", "true");
dbProps.setProperty("requreSSL", "true");
dbConnection = DriverManager.getConnection(connectionUrl, dbProps);
log.info("Connected to DB? " + dbConnection.isValid(5000));
} catch (SQLException e) {
log.fatal("Unable to connect to DB!");
e.printStackTrace();
return;
}
以下是CA证书文件的内容:
C:\Program Files\Java\jre1.8.0_45\bin>keytool -keystore cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
mysqlcacert, Jan 20, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 71:92:DA:13:02:57:64:49:3D:72:A0:40:1B:B8:55:42:7D:21:0A:CF
mysqlclientcert, Jan 20, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): A1:F5:5A:DB:31:78:D9:3C:F7:D7:C6:28:77:AB:DF:0A:58:CC:EA:A7
它表明我有我的CA证书和我的客户证书。这是我运行Java程序时遇到的顶级异常:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:512)
at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:493)
at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:205)
at org.jsoup.helper.HttpConnection.get(HttpConnection.java:194)
我是否还需要将我的CA密钥或客户端密钥添加到密钥库中?
答案 0 :(得分:0)
首先,我假设您已按照以下说明创建了密钥: https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html
我假设您已使用以下说明正确配置了服务器: https://dev.mysql.com/doc/refman/5.6/en/using-encrypted-connections.html
(对于那些无法生成密钥的人,可以使用CYGWIN for windows,并将OpenSSL作为软件包下载)
现在,具体来说:没有必要从Java密钥库中搞乱CACerts(不好的做法)。而是在java连接字符串的末尾使用以下参数:
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
...?useSSL=true&clientCertificateKeyStoreUrl=file://path_to_truststore_file&clientCertificateKeyStorePassword=mypassword
另外,请确保正确导入证书。经过大量研究后我自己遵循了这些说明(我按照说明书的推荐将它们导入了一个单独的密钥库)
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
这让我联系起来。我现在遇到其他问题,但这应该可以解决你的问题。
修改 我还必须添加以下内容:
trustCertificateKeyStoreUrl=file://path_to_truststore_file&trustCertificateKeyStorePassword=mypassword