WL#4995: SSL Certificate validation
Affects: Connector/.NET-5.2 — Status: Complete — Priority: Medium
Currently, server certificates are not validated in Connector.NET (BUG#38700). We should add a possibility to optionally validate certificates, and maybe even validate them by default.
We will introduce the new connection string parameter "Ssl Mode" and corresponding MySqlConnectionStringBuilder property SslMode with possible values 1)None : no encryption 2)Prefered : use encryption if server supports SSL 3)Required : deny connection if server does not support SSL 4)ValidateCA : Check for valid certification authority in certificate (host name mitmatch tolerated) 5)ValidateFull: Full validation. The default value is "None". This is modeled after Postgres client SSL support: http://www.postgresql.org/docs/8.4/static/libpq-ssl.html (section 30.17.3. "Protection provided in different modes") Existing boolean parameter encrypt will be deprecated but still supported. "encrypt=true" in connection string will be handled the same as sslmode=prefered. .Net client relies on OS support to validate certificates and does not implement its own certificate stores.
Copyright (c) 2000, 2017, Oracle Corporation and/or its affiliates. All rights reserved.