SSL mode VERIFY_CA used by the streaming mode but not by the snapshot mode

[Saurabh Godbole]

Hi,

This question is similar to https://groups.google.com/g/debezium/c/H8sw9ADRs6w/m/8V1V_FcYBAAJ.

I am using Debezium version 1.5, and connecting to an Aurora MySQL instance.

There were two issues:
1. I tried enabling SSL using MySqlConnectorConfig.SSL_TRUSTSTORE and MySqlConnectorConfig.SSL_TRUSTSTORE_PASSWORD. Snapshot worked, but I was not able to stream and got an error :
"     [java] Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" 

The way I got around this issue was by setting the system variables "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword" instead.

2. The second issue extends from an observation in the above issue. It seems that the Snapshot reader does not use SSL. The way I verified this was as follows:
I set the correct credentials: Snapshot and streaming succeeded

I set the incorrect credentials: Streaming failed but snapshot was successful.

Thus I drew the conclusion that the snapshot reader was not using SSL. Is there a way to enable this. 

Thanks,

Saurabh Godbole

[Saurabh Godbole]

Correction: 

"
2. The second issue extends from an observation in the above issue. It seems that the Snapshot reader does not use SSL. The way I verified this was as follows:

I set the correct truststore password: Snapshot and streaming succeeded

I set the incorrect truststore password: Streaming failed but snapshot was successful.

[Gunnar Morling]

Hi,

Seems like something we need to look into. Can you log a Jira issue for this? Can you also try and disable non-SSL access to your Aurora instance, so to verify your second point (both snapshotting and streaming should fail then).

Thanks,

--Gunnar

[Saurabh Godbole]

Hi,

Thanks for your response. Let me do the above investigation and log an issue for this.

Thanks,

Saurabh Godbole

[Saurabh Godbole]

Hi,

Apologies for the late response, and thanks for your suggestion about testing against a non-SSL access disabled Aurora instance. The following was the result:
1. I tested against a non-SSL access disabled Aurora instance. I set all the proper credentials, truststore and password (as a system property, the MysqlConnectorConfig did not work for me), and SSL mode set to verify_ca. I found that Debezium was working for both the snapshot and streaming phases.

2. To further investigate, I commented out the lines where I was supplying the truststore information, and found that the snapshot phase was still unexpectedly working while the streaming failed as expected. This pointed to some issue with the snapshot.

3. It seems that the MysqlConnection and the JdbcConnection classes don't make use of the ssl_mode information, and the jdbc url does not contain the "sslMode" flag. I was able to resolve the issue by modifying the URL_PATTERN string when SSL was enabled to include the ssl_mode information.

Thanks,

Saurabh Godbole

[jiri.p...@gmail.com]

Hi,

have you tried to you passthrough paramatere database.sslMode ?

J.