目录
引言
从Java连接MySQL的连接属性中获取sslMode的含义
版本
驱动版本
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.29</version>
</dependency>
服务端版本
Database Version: 8.0.35
SSL参数含义与默认值
| 序号 | 值 | 默认值 | 含义 |
|---|---|---|---|
| 1 | sslMode | PREFERRED | 默认情况下,网络连接是SSL加密的;此属性允许关闭安全连接,或者选择不同的安全级别。 |
| 2 | useSSL | true | 与服务器通信时使用SSL(true/false) |
| 3 | requireSSL | false | 如果useSSL=true,则要求服务器支持SSL连接 |
| 4 | verifyServerCertificate | false | |
| / | / | / | / |
| 1 | trustCertificateKeyStoreType | JKS | 受信任的根证书的密钥存储类型。 |
| 2 | trustCertificateKeyStoreUrl | / | 受信任的根证书密钥存储的URL。 [CR]如果未指定,属性"fallbackToSystemTrustStore"将确定是否使用系统范围的信任存储。 |
| 3 | trustCertificateKeyStorePassword | / | 受信任的根证书密钥存储的密码。 |
| 4 | fallbackToSystemKeyStore | true | 没有为"clientCertificateKeyStoreUrl"设置值是否会返回到使用通过系统属性"javax.net.ssl.keyStore*"定义的系统范围的密钥存储。 |
| / | / | / | / |
| 1 | clientCertificateKeyStoreType | JKS | 客户端证书的密钥存储类型。JVM支持的标准密钥存储类型是"JKS\"和"PKCS12\" |
| 2 | clientCertificateKeyStoreUrl | / | 客户端证书KeyStore的URL。 如果未指定,属性"fallbackToSystemKeyStore"将确定是否使用系统范围的密钥存储。 |
| 3 | clientCertificateKeyStorePassword | / | 客户端证书密钥存储的密码。 |
| 4 | fallbackToSystemKeyStore | true | 没有为"clientCertificateKeyStoreUrl"设置值是否会返回到使用通过系统属性"javax.net.ssl.keyStore*"定义的系统范围的密钥存储。" |
对应关系梳理
| sslMode | 含义 | useSSL | requireSSL | verifyServerCertificate |
|---|---|---|---|---|
| DISABLED | 禁用:建立未加密的连接 | false | ||
| PREFERRED | 首选:(默认)如果服务器启用了加密连接,则建立加密连接,否则返回到未加密连接 | true | false | false |
| REQUIRED | 必须:如果服务器启用了安全连接,则建立安全连接,否则将失败 | true | true | false |
| VERIFY_CA | 验证授权:类似于"REQUIRED\",但还要根据配置的证书颁发机构(CA)证书验证服务器TLS证书; | true | true | |
| VERIFY_IDENTITY | 验证身份:类似于"VERIFY_CA\",但还要验证服务器证书是否与尝试连接的主机匹配。 |
详细含义-中英文对比
sslMode
By default, network connections are SSL encrypted; this property permits secure connections to be turned off, or a different levels of security to be chosen.
The following values are allowed:
\"DISABLED\" - Establish unencrypted connections;
\"PREFERRED\" - (default) Establish encrypted connections if the server enabled them, otherwise fall back to unencrypted connections;
\"REQUIRED\" - Establish secure connections if the server enabled them, fail otherwise;
\"VERIFY_CA\" - Like \"REQUIRED\" but additionally verify the server TLS certificate against the configured Certificate Authority (CA) certificates;
\"VERIFY_IDENTITY\" - Like \"VERIFY_CA\", but additionally verify that the server certificate matches the host to which the connection is attempted.
[CR] This property replaced the deprecated legacy properties \"useSSL\", \"requireSSL\", and \"verifyServerCertificate\",
which are still accepted but translated into a value for \"sslMode\" if \"sslMode\" is not explicitly set:
\"useSSL=false\" is translated to \"sslMode=DISABLED\";
{\"useSSL=true\", \"requireSSL=false\", \"verifyServerCertificate=false\"} is translated to \"sslMode=PREFERRED\";
{\"useSSL=true\", \"requireSSL=true\", \"verifyServerCertificate=false\"} is translated to \"sslMode=REQUIRED\";
{\"useSSL=true\" AND \"verifyServerCertificate=true\"} is translated to \"sslMode=VERIFY_CA\".
There is no equivalent legacy settings for \"sslMode=VERIFY_IDENTITY\".
Note that, for ALL server versions, the default setting of \"sslMode\" is \"PREFERRED\", and it is equivalent to the legacy settings of \"useSSL=true\", \"requireSSL=false\", and \"verifyServerCertificate=false\",
which are different from their default settings for Connector/J 8.0.12 and earlier in some situations. Applications that continue to use the legacy properties and rely on their old default settings should be reviewed.
[CR] The legacy properties are ignored if \"sslMode\" is set explicitly. If none of \"sslMode\" or \"useSSL\" is set explicitly, the default setting of \"sslMode=PREFERRED\" applies. "
默认情况下,网络连接是SSL加密的;此属性允许关闭安全连接,或者选择不同的安全级别。
允许使用以下值:
\"DISABLED\"-建立未加密的连接;
\"PREFERRED\" - (默认)如果服务器启用了加密连接,则建立加密连接,否则返回到未加密连接;
\"REQUIRED\"-如果服务器启用了安全连接,则建立安全连接,否则将失败;
\"VERIFY_CA\"-类似于"REQUIRED\",但还要根据配置的证书颁发机构(CA)证书验证服务器TLS证书;
\"VERIFY_IDENTITY\"-类似于"VERIFY_CA\",但还要验证服务器证书是否与尝试连接的主机匹配。
[CR]此属性替换了不推荐使用的旧属性\"useSSL\"、\"requireSSL\"和\"verifyServerCertificate\",
它们仍然被接受,但如果没有明确设置\"sslMode\",则转换为\"sslMode"的值:
\"useSSL=false\"被翻译为"sslMode=DISABLED\";
{\"useSSL=true\"、"requireSSL=false\"、"verifyServerCertificate=false"}被翻译为"sslMode=PREFERRED\";
{\"useSSL=true\"、\"requireSSL=true="、"verifyServerCertificate=false\"}被翻译为\"sslMode=REQUIRED\";
{\"useSSL=true\"AND\"verifyServerCertificate=true\"}被翻译为\"sslMode=VERIFY_CA\"。
"sslMode=VERIFY_IDENTITY\"没有等效的旧设置。
请注意,对于所有服务器版本,"sslMode"的默认设置为"PREFERRED",它等效于"useSSL=true\"、"requireSSL=false"和"verifyServerCertificate=false"的旧设置,
在某些情况下,这与连接器/J 8.0.12及更早版本的默认设置不同。应审查继续使用旧属性并依赖其旧默认设置的应用程序。
[CR]如果显式设置了\"sslMode\",则会忽略旧属性。如果没有显式设置"sslMode\"或"useSSL\",则应用默认设置"sslMode=PREFERRED\"。"
useSSL
For 8.0.12 and earlier: Use SSL when communicating with the server (true/false),
default is 'true' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+, otherwise default is 'false'.
[CR] For 8.0.13 and later: Default is 'true'. DEPRECATED. See sslMode property description for details."
对于8.0.12及更早版本:与服务器通信时使用SSL(true/false),
连接到MySQL 5.5.45+、5.6.26+或5.7.6+时默认为"true",否则默认为"false"。
[CR]对于8.0.13及更高版本:默认值为"true"。已弃用。有关详细信息,请参阅sslMode属性描述。"
requireSSL
For 8.0.12 and earlier: Require server support of SSL connection if useSSL=true? (defaults to 'false').
[CR] For 8.0.13 and later: DEPRECATED. See sslMode property description for details.",
对于8.0.12及更早版本:如果useSSL=true,则要求服务器支持SSL连接?(默认为"false")。
[CR]对于8.0.13及更高版本:已弃用。有关详细信息,请参阅sslMode属性描述。",
verifyServerCertificate
For 8.0.12 and earlier: If \"useSSL\" is set to \"true\", should the driver verify the server's certificate?
When using this feature, the key store parameters should be specified by the \"clientCertificateKeyStore*\" properties, rather than system properties.
Default is 'false' when connecting to MySQL 5.5.45+, 5.6.26+ or 5.7.6+ and \"useSSL\" was not explicitly set to \"true\". Otherwise default is 'true'.
[CR] For 8.0.13 and later: Default is 'false'. DEPRECATED. See sslMode property description for details."
对于8.0.12及更早版本:如果"useSSL\"设置为"true\",驱动程序是否应该验证服务器的证书?
使用此功能时,密钥存储参数应由"clientCertificateKeyStore*"属性指定,而不是由系统属性指定。
当连接到MySQL 5.5.45+、5.6.26+或5.7.6+时,默认值为"false",并且"useSSL\"未明确设置为"true\"。否则,默认值为"true"。
[CR]对于8.0.13及更高版本:默认值为"false"。已弃用。有关详细信息,请参阅sslMode属性描述。"
trustCertificateKeyStoreType
Key store type for trusted root certificates.
[CR]NULL or empty means use the default, which is \"JKS\".
Standard key store types supported by the JVM are \"JKS\" and \"PKCS12\", your environment may have more available depending on what security products are installed and available to the JVM.
受信任的根证书的密钥存储类型。
[CR]NULL或空表示使用默认值,即"JKS\"。
JVM支持的标准密钥存储类型是"JKS\"和"PKCS12\",您的环境可能有更多可用的密钥存储类型,这取决于JVM安装的安全产品和可用的安全产品。
trustCertificateKeyStoreUrl
URL for the trusted root certificates key store.
[CR]If not specified, the property 'fallbackToSystemTrustStore' determines if system-wide trust store is used.
受信任的根证书密钥存储的URL。
[CR]如果未指定,属性"fallbackToSystemTrustStore"将确定是否使用系统范围的信任存储。
trustCertificateKeyStorePassword
Password for the trusted root certificates key store.
受信任的根证书密钥存储的密码。
fallbackToSystemKeyStore
Whether the absence of setting a value for 'clientCertificateKeyStoreUrl' falls back to using the system-wide key store defined through the system properties 'javax.net.ssl.keyStore*'.
没有为"clientCertificateKeyStoreUrl"设置值是否会返回到使用通过系统属性"javax.net.ssl.keyStore*"定义的系统范围的密钥存储。
clientCertificateKeyStoreType
Key store type for client certificates.
[CR]NULL or empty means use the default, which is \"JKS\". Standard key store types supported by the JVM are \"JKS\" and \"PKCS12\",
your environment may have more available depending on what security products are installed and available to the JVM.",
客户端证书的密钥存储类型。
[CR]NULL或空表示使用默认值,即"JKS\"。JVM支持的标准密钥存储类型是"JKS\"和"PKCS12\",
您的环境可能有更多的可用性,这取决于安装了哪些安全产品并且JVM可以使用这些产品。",
clientCertificateKeyStoreUrl
URL for the client certificate KeyStore[CR]If not specified, the property 'fallbackToSystemKeyStore' determines if system-wide key store is used.
客户端证书KeyStore的URL[CR]如果未指定,属性"fallbackToSystemKeyStore"将确定是否使用系统范围的密钥存储。
clientCertificateKeyStorePassword
Password for the client certificates key store.
客户端证书密钥存储的密码。
fallbackToSystemKeyStore
Whether the absence of setting a value for 'clientCertificateKeyStoreUrl' falls back to using the system-wide key store defined through the system properties 'javax.net.ssl.keyStore*'."
没有为"clientCertificateKeyStoreUrl"设置值是否会返回到使用通过系统属性"javax.net.ssl.keyStore*"定义的系统范围的密钥存储。"