this will be extremely detailed as I can’t solve this problem. I have a website developed with java servlet and jdbc, whose connection method is:
private static synchronized Connection createDBConnection() throws SQLException {
Connection newConnection = null;
String ip = "localhost";
String port = "3306";
String db = "bookscape";
String username = "root";
String password = "password";
String truststorePath = "/opt/jdk-21.0.3/lib/security/cacerts";
String truststorePassword = "changeit";
System.setProperty("javax.net.ssl.trustStore", truststorePath);
System.setProperty("javax.net.ssl.trustStorePassword", truststorePassword);
newConnection = DriverManager.getConnection(
"jdbc:mysql://" + ip + ":" + port + "/" + db +
"? useUnicode=true&useJDBCCompliantTimezoneShift=true&useLegacyDatetimeCode=false&serverTimezone=Europe/Rome&useSSL=true&verifyServerCertificate=true&enabledTLSProtocols=TLSv1.2&requireSSL=true",
username, password
);
newConnection.setAutoCommit(true);
// verify if ssl is used
try (Statement stmt = newConnection.createStatement();
ResultSet rs = stmt.executeQuery("SHOW SESSION STATUS LIKE 'Ssl_cipher'")){
if (rs.next()) {
String sslCipher = rs.getString("Value");
if (sslCipher != null && !sslCipher.isEmpty()) {
System.out.println("SSL è attivo. Cifrario SSL utilizzato: " + sslCipher);
} else {
System.out.println("SSL non è attivo.");
}
}
} catch (SQLException e) {
System.err.println("Errore durante la verifica dell'SSL: " + e.getMessage());
}
return newConnection;
}
I configured the mysql server 50-server.cnf configuration file with:
ssl-ca = /etc/mysql/certs/ca-cert.pem
ssl-cert = /etc/mysql/certs/server-cert.pem
ssl-key = /etc/mysql/certs/server-key.pem
require-secure-transport = on
ssl-cipher=TLSv1.2`
and 50-client.cnf con:
[client]
ssl-ca = /etc/mysql/certs/ca-cert.pem
ssl-cert = /etc/mysql/certs/client-cert.pem
ssl-key = /etc/mysql/certs/client-key.pem
ssl-verify-server-cert = on
the certificates are all in mysql/certs, I also added them to the default java truststore (cacerts). Now, if I start tomcat, the site works and if I look in catalina.out, I see from the logs that the encryption is happening (console.log in the java code). So everything’s fine, right? ssl configured well and in use, no problems. If instead I try to access mysql from the terminal I get: ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed. Why? what’s the reason?
further context, in ~/.bashrc I added:
export CATALINA_HOME=/opt/apache-tomcat-9.0.91
export PATH=$PATH:$CATALINA_HOME/bin
export JAVA_HOME=/opt/jdk-21.0.3
export PATH=$PATH:$JAVA_HOME/bin
export JAVA_OPTS="$JAVA_OPTS -Djava.library.path=/usr/local/apr/lib"
export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/opt/jdk-21.0.3/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit"
also, the tomcat server and mariadb are running on the same machine (raspberry pi 4)
I tried to check the certificates, everything was ok (on the other hand the connection from Java works as expected), I tried to change permissions, but there was nothing to do there either, I checked in the truststore and the certificates are all there.
Marco Renella is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.