When using a Java 8 to 12 JREs, if JSSE is configured to use
FIPS mode, attempts to connect to a MySQL Server may fail in
some cases with a KeyManagementException
,
complaining that "FIPS mode: only SunJSSE
TrustManagers
may be used." This happens
because, in that case, a custom
TrustManager
implemented by Connector/J
that supports the different
sslMode
options is invoked but is eventually rejected by the default
implementation of SunJSSE.
The issue can be overcome by telling Connector/J not to use
its custom TrustManager
implementation, but use
your own security providers instead. This can be done by
setting the following connection properties:
fipsCompliantJsse
: Set totrue
to overcome the above-mentioned issue with FIPS mode.NoteWhen set to true, Connector/J always performs server certificate validation (even if
sslMode
is set toPREFERRED
orREQUIRED
), which means a truststore must be configured with the connection proprieties described below, or the fallback system-wide truststore must be enabled.KeyManagerFactoryProvider
: The name of the a Java Security Provider that provides ajavax.net.ssl.KeyManagerFactory
implementation.trustManagerFactoryProvider
: The name of the a Java Security Provider that provides ajavax.net.ssl.TrustManagerFactory
implementation.keyStoreProvider
: The name of the a Java Security Provider that provides ajava.security.KeyStore
implementation, supporting the key stores types specified withclientCertificateKeyStoreType
andtrustCertificateKeyStoreType
.