Skip to content

Commit

Permalink
Update for Bug#27102307 fix.
Browse files Browse the repository at this point in the history
  • Loading branch information
@soklakov
soklakov committed Sep 24, 2018
1 parent 8838bbc commit 66459e9
Show file tree
Hide file tree
Showing 16 changed files with 306 additions and 242 deletions.
21 changes: 14 additions & 7 deletions src/main/core-api/java/com/mysql/cj/conf/PropertyDefinitions.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,11 @@ public enum ZeroDatetimeBehavior { // zeroDateTimeBehavior
CONVERT_TO_NULL, EXCEPTION, ROUND;
}

public enum SslMode { // xdevapi.ssl-mode
public enum SslMode {
PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY, DISABLED;
}

public enum XdevapiSslMode {
REQUIRED, VERIFY_CA, VERIFY_IDENTITY, DISABLED;
}

Expand All @@ -156,10 +160,6 @@ public enum AuthMech { // xdevapi.auth
*/
public static final Map<PropertyKey, PropertyDefinition<?>> PROPERTY_KEY_TO_PROPERTY_DEFINITION;

public static final String PNAME_DEPRECATED_useSSL = "useSSL";
public static final String PNAME_DEPRECATED_requireSSL = "requireSSL";
public static final String PNAME_DEPRECATED_verifyServerCertificate = "verifyServerCertificate";

static {
String STANDARD_LOGGER_NAME = StandardLogger.class.getName();

Expand Down Expand Up @@ -648,7 +648,14 @@ public enum AuthMech { // xdevapi.auth
new BooleanPropertyDefinition(PropertyKey.useReadAheadInput, DEFAULT_VALUE_TRUE, RUNTIME_MODIFIABLE,
Messages.getString("ConnectionProperties.useReadAheadInput"), "3.1.5", CATEGORY_PERFORMANCE, Integer.MIN_VALUE),

new EnumPropertyDefinition<>(PropertyKey.sslMode, SslMode.REQUIRED, RUNTIME_MODIFIABLE, Messages.getString("ConnectionProperties.sslMode"),
new BooleanPropertyDefinition(PropertyKey.useSSL, DEFAULT_VALUE_TRUE, RUNTIME_MODIFIABLE, Messages.getString("ConnectionProperties.useSSL"),
"3.0.2", CATEGORY_SECURITY, 2),
new BooleanPropertyDefinition(PropertyKey.requireSSL, DEFAULT_VALUE_FALSE, RUNTIME_MODIFIABLE,
Messages.getString("ConnectionProperties.requireSSL"), "3.1.0", CATEGORY_SECURITY, 3),
new BooleanPropertyDefinition(PropertyKey.verifyServerCertificate, DEFAULT_VALUE_FALSE, RUNTIME_MODIFIABLE,
Messages.getString("ConnectionProperties.verifyServerCertificate"), "5.1.6", CATEGORY_SECURITY, 4),

new EnumPropertyDefinition<>(PropertyKey.sslMode, SslMode.PREFERRED, RUNTIME_MODIFIABLE, Messages.getString("ConnectionProperties.sslMode"),
"8.0.13", CATEGORY_SECURITY, Integer.MIN_VALUE),

new BooleanPropertyDefinition(PropertyKey.useStreamLengthsInPrepStmts, DEFAULT_VALUE_TRUE, RUNTIME_MODIFIABLE,
Expand Down Expand Up @@ -703,7 +710,7 @@ public enum AuthMech { // xdevapi.auth

new BooleanPropertyDefinition(PropertyKey.xdevapiUseAsyncProtocol, DEFAULT_VALUE_FALSE, RUNTIME_NOT_MODIFIABLE,
Messages.getString("ConnectionProperties.useAsyncProtocol"), "6.0.0", CATEGORY_XDEVAPI, Integer.MIN_VALUE),
new EnumPropertyDefinition<>(PropertyKey.xdevapiSSLMode, SslMode.REQUIRED, RUNTIME_MODIFIABLE,
new EnumPropertyDefinition<>(PropertyKey.xdevapiSSLMode, XdevapiSslMode.REQUIRED, RUNTIME_MODIFIABLE,
Messages.getString("ConnectionProperties.xdevapiSslMode"), "8.0.7", CATEGORY_XDEVAPI, Integer.MIN_VALUE),
new StringPropertyDefinition(PropertyKey.xdevapiSSLTrustStoreUrl, DEFAULT_VALUE_NULL_STRING, RUNTIME_NOT_MODIFIABLE,
Messages.getString("ConnectionProperties.sslTrustStoreUrl"), "6.0.6", CATEGORY_XDEVAPI, Integer.MIN_VALUE),
Expand Down
3 changes: 3 additions & 0 deletions src/main/core-api/java/com/mysql/cj/conf/PropertyKey.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ public enum PropertyKey {
reconnectAtTxEnd("reconnectAtTxEnd", true), //
replicationConnectionGroup("replicationConnectionGroup", true), //
reportMetricsIntervalMillis("reportMetricsIntervalMillis", true), //
requireSSL("requireSSL", true), //
resourceId("resourceId", true), //
resultSetSizeThreshold("resultSetSizeThreshold", true), //
retriesAllDown("retriesAllDown", true), //
Expand Down Expand Up @@ -229,9 +230,11 @@ public enum PropertyKey {
useOnlyServerErrorMessages("useOnlyServerErrorMessages", true), //
useReadAheadInput("useReadAheadInput", true), //
useServerPrepStmts("useServerPrepStmts", true), //
useSSL("useSSL", true), //
useStreamLengthsInPrepStmts("useStreamLengthsInPrepStmts", true), //
useUnbufferedInput("useUnbufferedInput", true), //
useUsageAdvisor("useUsageAdvisor", true), //
verifyServerCertificate("verifyServerCertificate", true), //

xdevapiAsyncResponseTimeout("xdevapi.asyncResponseTimeout", "xdevapiAsyncResponseTimeout", true), //
xdevapiAuth("xdevapi.auth", "xdevapiAuth", true), //
Expand Down
21 changes: 10 additions & 11 deletions src/main/core-impl/java/com/mysql/cj/conf/DefaultPropertySet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,23 +199,22 @@ public void initializeProperties(Properties props) {
}
}

// Translate legacy SSL properties if sslMode isn't explicitly set. Default sslMode is REQUIRED.
// Translate legacy SSL properties if sslMode isn't explicitly set. Default sslMode is PREFERRED.
RuntimeProperty<SslMode> sslMode = this.<SslMode> getEnumProperty(PropertyKey.sslMode);
if (!sslMode.isExplicitlySet()) {
String useSSL = infoCopy.getProperty(PropertyDefinitions.PNAME_DEPRECATED_useSSL);
if (useSSL != null && !BooleanPropertyDefinition.booleanFrom(PropertyDefinitions.PNAME_DEPRECATED_useSSL, useSSL, null)) {
sslMode.setValue(SslMode.DISABLED);
} else {
String verifyServerCertificate = infoCopy.getProperty(PropertyDefinitions.PNAME_DEPRECATED_verifyServerCertificate);
if (verifyServerCertificate != null && BooleanPropertyDefinition.booleanFrom(PropertyDefinitions.PNAME_DEPRECATED_verifyServerCertificate,
verifyServerCertificate, null)) {
RuntimeProperty<Boolean> useSSL = this.getBooleanProperty(PropertyKey.useSSL);
RuntimeProperty<Boolean> verifyServerCertificate = this.getBooleanProperty(PropertyKey.verifyServerCertificate);
RuntimeProperty<Boolean> requireSSL = this.getBooleanProperty(PropertyKey.requireSSL);
if (useSSL.isExplicitlySet() || verifyServerCertificate.isExplicitlySet() || requireSSL.isExplicitlySet()) {
if (!useSSL.getValue()) {
sslMode.setValue(SslMode.DISABLED);
} else if (verifyServerCertificate.getValue()) {
sslMode.setValue(SslMode.VERIFY_CA);
} else if (requireSSL.getValue()) {
sslMode.setValue(SslMode.REQUIRED);
}
}
}
infoCopy.remove(PropertyDefinitions.PNAME_DEPRECATED_useSSL);
infoCopy.remove(PropertyDefinitions.PNAME_DEPRECATED_requireSSL);
infoCopy.remove(PropertyDefinitions.PNAME_DEPRECATED_verifyServerCertificate);

// add user-defined properties
for (Object key : infoCopy.keySet()) {
Expand Down
5 changes: 3 additions & 2 deletions src/main/protocol-impl/java/com/mysql/cj/protocol/a/NativeAuthenticationProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ public void connect(ServerSession sessState, String user, String password, Strin

// check SSL availability
SslMode sslMode = this.propertySet.<SslMode> getEnumProperty(PropertyKey.sslMode).getValue();
if (((capabilityFlags & NativeServerSession.CLIENT_SSL) == 0) && sslMode != SslMode.DISABLED) {
if (((capabilityFlags & NativeServerSession.CLIENT_SSL) == 0) && sslMode != SslMode.DISABLED && sslMode != SslMode.PREFERRED) {
throw ExceptionFactory.createException(UnableToConnectException.class, Messages.getString("MysqlIO.15"), getExceptionInterceptor());
}

Expand Down Expand Up @@ -481,7 +481,8 @@ private void proceedHandshakeWithPluggableAuthentication(ServerSession sessState

sessState.setClientParam(clientParam);

if (this.propertySet.<SslMode> getEnumProperty(PropertyKey.sslMode).getValue() != SslMode.DISABLED) {
if (((serverCapabilities & NativeServerSession.CLIENT_SSL) != 0)
&& this.propertySet.<SslMode> getEnumProperty(PropertyKey.sslMode).getValue() != SslMode.DISABLED) {
negotiateSSLConnection(packLength);
}

Expand Down
12 changes: 9 additions & 3 deletions src/main/protocol-impl/java/com/mysql/cj/protocol/x/XProtocol.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
import com.mysql.cj.conf.HostInfo;
import com.mysql.cj.conf.PropertyDefinitions;
import com.mysql.cj.conf.PropertyDefinitions.SslMode;
import com.mysql.cj.conf.PropertyDefinitions.XdevapiSslMode;
import com.mysql.cj.conf.PropertyKey;
import com.mysql.cj.conf.PropertySet;
import com.mysql.cj.conf.RuntimeProperty;
Expand Down Expand Up @@ -230,9 +231,9 @@ public void beforeHandshake() {
this.serverSession.setCapabilities(readServerCapabilities());

// Override common SSL properties with xdevapi ones to provide unified logic in ExportControlled via common SSL properties
RuntimeProperty<SslMode> xdevapiSslMode = this.propertySet.<SslMode> getEnumProperty(PropertyKey.xdevapiSSLMode);
RuntimeProperty<XdevapiSslMode> xdevapiSslMode = this.propertySet.<XdevapiSslMode> getEnumProperty(PropertyKey.xdevapiSSLMode);
if (xdevapiSslMode.isExplicitlySet()) {
this.propertySet.<SslMode> getEnumProperty(PropertyKey.sslMode).setValue(xdevapiSslMode.getValue());
this.propertySet.<SslMode> getEnumProperty(PropertyKey.sslMode).setValue(SslMode.valueOf(xdevapiSslMode.getValue().toString()));
}
RuntimeProperty<String> sslTrustStoreUrl = this.propertySet.getStringProperty(PropertyKey.xdevapiSSLTrustStoreUrl);
if (sslTrustStoreUrl.isExplicitlySet()) {
Expand All @@ -250,6 +251,11 @@ public void beforeHandshake() {
// TODO WL#9925 will redefine other SSL connection properties for X Protocol

RuntimeProperty<SslMode> sslMode = this.propertySet.<SslMode> getEnumProperty(PropertyKey.sslMode);

if (sslMode.getValue() == SslMode.PREFERRED) { // PREFERRED mode is not applicable to X Protocol
sslMode.setValue(SslMode.REQUIRED);
}

boolean verifyServerCert = sslMode.getValue() == SslMode.VERIFY_CA || sslMode.getValue() == SslMode.VERIFY_IDENTITY;
String trustStoreUrl = this.propertySet.getStringProperty(PropertyKey.trustCertificateKeyStoreUrl).getValue();

Expand All @@ -262,7 +268,7 @@ public void beforeHandshake() {
throw new CJCommunicationsException(msg.toString());
}

if (xdevapiSslMode.getValue() != SslMode.DISABLED) {
if (xdevapiSslMode.getValue() != XdevapiSslMode.DISABLED) {
negotiateSSLConnection(0);
}
}
Expand Down
12 changes: 6 additions & 6 deletions src/main/resources/com/mysql/cj/LocalizedErrorMessages.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ MysqlDataSource.0=Can not load Driver class com.mysql.cj.jdbc.Driver
MysqlDataSource.BadUrl=Failed to get a connection using the URL ''{0}''.
MysqlDataSourceFactory.0=Unable to create DataSource of class ''{0}'', reason: {1}

MysqlIO.15=SSL Connection required, but not supported by server.
MysqlIO.15=SSL Connection required, but not provided by server.
MysqlIO.17=Attempt to close streaming result set
MysqlIO.18=\ when no streaming result set was registered. This is an internal error.
MysqlIO.19=Attempt to close streaming result set
Expand Down Expand Up @@ -815,7 +815,7 @@ ConnectionProperties.connectionPropertiesTransform=An implementation of com.mysq
ConnectionProperties.queriesBeforeRetryMaster=Number of queries to issue before falling back to the primary host when failed over (when using multi-host failover). Whichever condition is met first, 'queriesBeforeRetryMaster' or 'secondsBeforeRetryMaster' will cause an attempt to be made to reconnect to the primary host. Setting both properties to 0 disables the automatic fall back to the primary host at transaction boundaries. Defaults to 50.
ConnectionProperties.reconnectAtTxEnd=If autoReconnect is set to true, should the driver attempt reconnections at the end of every transaction?
ConnectionProperties.reportMetricsIntervalMillis=If 'gatherPerfMetrics' is enabled, how often should they be logged (in ms)?
ConnectionProperties.requireSSL=Require server support of SSL connection if useSSL=true? (defaults to 'false').
ConnectionProperties.requireSSL=For 8.0.12 and earlier: Require server support of SSL connection if useSSL=true? (defaults to 'false'). For 8.0.13 and later: DEPRECATED. See sslMode property description for details.
ConnectionProperties.resourceId=A globally unique name that identifies the resource that this datasource or connection is connected to, used for XAResource.isSameRM() when the driver can't determine this value based on hostnames used in the URL
ConnectionProperties.resultSetSizeThreshold=If the usage advisor is enabled, how many rows should a result set contain before the driver warns that it is suspiciously large?
ConnectionProperties.retriesAllDown=When using loadbalancing or failover, the number of times the driver should cycle through available hosts, attempting to connect. Between cycles, the driver will pause for 250ms if no servers are available.
Expand Down Expand Up @@ -856,13 +856,13 @@ ConnectionProperties.useOldAliasMetadataBehavior=Should the driver use the legac
ConnectionProperties.useOnlyServerErrorMessages=Don't prepend 'standard' SQLState error messages to error messages returned by the server.
ConnectionProperties.useReadAheadInput=Use newer, optimized non-blocking, buffered input stream when reading from the server?
ConnectionProperties.useSqlStateCodes=Use SQL Standard state codes instead of 'legacy' X/Open/SQL state codes (true/false), default is 'true'
ConnectionProperties.useSSL=Use SSL when communicating with the server (true/false), default is 'true' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+, otherwise default is 'false'
ConnectionProperties.useSSL=For 8.0.12 and earlier: Use SSL when communicating with the server (true/false), default is 'true' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+, otherwise default is 'false'. For 8.0.13 and later: DEPRECATED. See sslMode property description for details.
ConnectionProperties.useSSPSCompatibleTimezoneShift=If migrating from an environment that was using server-side prepared statements, and the configuration property "useJDBCCompliantTimeZoneShift" set to "true", use compatible behavior when not using server-side prepared statements when sending TIMESTAMP values to the MySQL server.
ConnectionProperties.useStreamLengthsInPrepStmts=Honor stream length parameter in PreparedStatement/ResultSet.setXXXStream() method calls (true/false, defaults to 'true')?
ConnectionProperties.ultraDevHack=Create PreparedStatements for prepareCall() when required, because UltraDev is broken and issues a prepareCall() for _all_ statements? (true/false, defaults to 'false')
ConnectionProperties.useUnbufferedInput=Don't use BufferedInputStream for reading data from the server
ConnectionProperties.useUsageAdvisor=Should the driver issue 'usage' warnings advising proper and efficient usage of JDBC and MySQL Connector/J to the log (true/false, defaults to 'false')?
ConnectionProperties.verifyServerCertificate=If "useSSL" is set to "true", should the driver verify the server's certificate? When using this feature, the keystore parameters should be specified by the "clientCertificateKeyStore*" properties, rather than system properties. Default is 'false' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+ and "useSSL" was not explicitly set to "true". Otherwise default is 'true'
ConnectionProperties.verifyServerCertificate=For 8.0.12 and earlier: If "useSSL" is set to "true", should the driver verify the server's certificate? When using this feature, the keystore parameters should be specified by the "clientCertificateKeyStore*" properties, rather than system properties. Default is 'false' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+ and "useSSL" was not explicitly set to "true". Otherwise default is 'true'. For 8.0.13 and later: DEPRECATED. See sslMode property description for details.
ConnectionProperties.yearIsDateType=Should the JDBC driver treat the MySQL type "YEAR" as a java.sql.Date, or as a SHORT?
ConnectionProperties.zeroDateTimeBehavior=What should happen when the driver encounters DATETIME values that are composed entirely of zeros (used by MySQL to represent invalid dates)? Valid values are \"{0}\", \"{1}\" and \"{2}\".
ConnectionProperties.clientCertificateKeyStoreUrl=URL to the client certificate KeyStore (if not specified, use defaults)
Expand Down Expand Up @@ -898,10 +898,10 @@ ConnectionProperties.enabledTLSProtocols=If "useSSL" is set to "true", overrides
ConnectionProperties.enableEscapeProcessing=Sets the default escape processing behavior for Statement objects. The method Statement.setEscapeProcessing() can be used to specify the escape processing behavior for an individual Statement object. Default escape processing behavior in prepared statements must be defined with the property 'processEscapeCodesForPrepStmts'.
ConnectionProperties.replicationConnectionGroup=Logical group of replication connections within a classloader, used to manage different groups independently. If not specified, live management of replication connections is disabled.

ConnectionProperties.sslMode=By default the network connections are SSL encrypted. this property permits secure connections to be turned off, or a different levels of security be chosen. The following values are allowed: DISABLED - Establish unencrypted connections; REQUIRED - (default) Establish secure connections if the server supports them, fails otherwise; VERIFY_CA - Like REQUIRED but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates; VERIFY_IDENTITY - Like VERIFY_CA, but additionally verify that the server certificate matches the host to which the connection is attempted. This property replaced "useSSL", "requireSSL" and "verifyServerCertificate" legacy properties. They are still accepted but translated into "sslMode" if "sslMode" is not explicitly set. Previous default values for these properties are changed to match default sslMode=REQUIRED: useSSL=true, requireSSL=true, verifyServerCertificate=false.
ConnectionProperties.sslMode=By default, network connections are SSL encrypted; this property permits secure connections to be turned off, or a different levels of security to be chosen. The following values are allowed: DISABLED - Establish unencrypted connections; PREFERRED - (default) Establish encrypted connections if the server enabled them, otherwise fall back to unencrypted connections; REQUIRED - Establish secure connections if the server enabled them, fail otherwise; VERIFY_CA - Like REQUIRED but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates; VERIFY_IDENTITY - Like VERIFY_CA, but additionally verify that the server certificate matches the host to which the connection is attempted. This property replaced the deprecated legacy properties "useSSL", "requireSSL" and "verifyServerCertificate", which are still accepted but translated into a value for "sslMode" if "sslMode" is not explicitly set. In 8.0.13 and later, legacy properties have server version independent default values useSSL=true, requireSSL=false and verifyServerCertificate=false, aligned to the default PREFERRED sslMode. Possible legacy to "sslMode" mappings are: sslMode=DISABLED is equivalent to useSSL=false regardless of requireSSL and verifyServerCertificate; sslMode=PREFERRED is equivalent to useSSL=true, requireSSL=false and verifyServerCertificate=false; sslMode=REQUIRED is equivalent to useSSL=true, requireSSL=true, and verifyServerCertificate=false; sslMode=VERIFY_CA is equivalent to useSSL=true and verifyServerCertificate=true regardless of requireSSL; sslMode=VERIFY_IDENTITY has no equivalence.

ConnectionProperties.useAsyncProtocol=Use asynchronous variant of X Protocol
ConnectionProperties.xdevapiSslMode=X DevAPI-specific sslMode setting. If not specified, use sslMode value.
ConnectionProperties.xdevapiSslMode=X DevAPI-specific sslMode setting. If not specified, use sslMode value. Please note, that PREFERRED mode is not applicable to X Protocol and replaced with REQUIRED.
ConnectionProperties.sslTrustStoreUrl=X DevAPI-specific URL to the trusted CA certificates key store. If not specified, use trustCertificateKeyStoreUrl value.
ConnectionProperties.sslTrustStoreType=X DevAPI-specific type of the trusted CA certificates key store. If not specified, use trustCertificateKeyStoreType value.
ConnectionProperties.sslTrustStorePassword=X DevAPI-specific password for the trusted CA certificates key store. If not specified, use trustCertificateKeyStorePassword value.
Expand Down
Loading

0 comments on commit 66459e9

Please sign in to comment.