Connect to h2 server using SSL

[Christian Buchegger]

When connecting to h2 server using the ssl url: jdbc:h2:ssl:localhost/mydatabase

I get the below excpetion:

Exception in thread "main" org.h2.jdbc.JdbcSQLNonTransientConnectionException: Connection is broken: "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: localhost" [90067-199]
    at org.h2.message.DbException.getJdbcSQLException(DbException.java:617)
    at org.h2.message.DbException.getJdbcSQLException(DbException.java:427)
    at org.h2.message.DbException.get(DbException.java:194)
    at org.h2.engine.SessionRemote.connectServer(SessionRemote.java:435)
    at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:317)
    at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:169)
    at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:148)
    at org.h2.Driver.connect(Driver.java:69)
    at java.sql.DriverManager.getConnection(DriverManager.java:664)
    at java.sql.DriverManager.getConnection(DriverManager.java:247)
    at org.h2.tools.RunScript.process(RunScript.java:327)
    at org.h2.tools.RunScript.runTool(RunScript.java:143)
    at org.h2.tools.RunScript.main(RunScript.java:70)

The error message is like the one I found at: http://h2-database.66688.n3.nabble.com/H2-TCP-server-and-SSL-how-to-use-it-td4032294.html

After some experiments, I figured out that adding

-Djavax.net.ssl.trustStore=$HOME/.h2.keystore

to the commandline of the client resolves the issue.

My questions here is:

• In order to have zero config on clöientside for using anonymous tls, would it make sense to add this setting to org.h2.security.CipherFactory.setKeystore function?

[Evgenij Ryazanov]

Hello.

H2 uses the anonymous SSL by default on older Java versions up to 10, unless a security manager prevents it. It also doesn't work on Java 11+ due to changes in JDK.

https://github.com/h2database/h2database/issues/1303

I have multiple installations of different versions of Java, and in one of them exception like yours appears, but it looks like a problem with that specific JRE.

[Christian Buchegger]

Hi,

I did some more tests using different JDKs now.

With jdk1.8.0_151 which you are using in the Travis build I do not see this exception either.

However with the jdk1.8.0_202 this exception occurs.

I have attached a standalone testcase with SSL debug enabled, as the test in org.h2.test.unit.TestTools do not spot the issue, likely because client and server live in the same JVM sharing the same key infrastructure.

Note the stopServer() function of the skript does not work if ssl fails.

[Evgenij Ryazanov]

Oracle disabled anonymous suits due to security reasons.

https://bugs.openjdk.java.net/browse/JDK-8213090

You you can't use older JRE you need to create a key store and set system properties javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword.

[Evgenij Ryazanov]

You also can find jdk.tls.disabledAlgorithms in jre/lib/security/java.security (or in conf/security/java.security in more recent versions) and remove anon from the list.