Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problems accessing databases over TLS with outdated cert signing algorithm #289

Open
Anonymous-Coward opened this issue Mar 30, 2023 · 5 comments

Comments

@Anonymous-Coward
Copy link

I have a database accessible over TLS with a certificate signed with SHA1 and with key algorithm RSA - I have no control over the certificate used by the database. Any attempt to migrate that database using Java 17 (openjdk) and mybatis will fail with the following error:

ERROR: Error getting connection. Cause: org.postgresql.util.PSQLException: SSL error: Certificates do not conform to algorithm constraints.

The reason for this is that SHA1 with RSA was found to be insecure some time in the past and more recent JDKs/JREs have disabled it.

When you configure other clients for accessing the database, you can change ${JAVA_HOME}/conf/security/java.security to allow that algorithm combination - remove offending entries from jdk.certpath.disabledAlgorithms - and set the SSL factory used by the driver to org.postgresql.ssl.DefaultJavaSSLFactory.

There's no way to influence the behavior of the postgres driver when being used from mybatis migrations - or at least not a documented one that I could find.

Same goes for the mybatis migrations plugin. Even if the java global security settings file is changed, the driver will still complain about outdated algorithms by throwing the exception.

Mybatis migrations version: MyBatis Migrations 3.3.11
Mybatis migrations maven plugin: 1.1.4
Postgres jdbc driver: 4.2.25 (both with the maven plugin and the CLI)

@harawata
Copy link
Member

Hello @Anonymous-Coward ,

A different Java installation is used, maybe?
For CLI, there are scripts in the 'bin' directory.

It seems unlikely that Migrations can somehow override or ignore the JVM's security config.
If there is some condition that prohibits the driver from using the config, you should ask pgjdbc people about it.

@Anonymous-Coward
Copy link
Author

My initial description of the problem is probably somewhat inaccurate - I won't fix it, though, or else the context of harawata's comment is partially lost.

There is a way to override the Java security settings from the command line:

-Djava.security.properties=<custom java security settings file> -Djava.security.disableSystemPropertiesFile=true

The setting java.security.disableSystemPropertiesFile is what makes things work. Additionally to the file java.security that's part of every JVM/JDK installation, there's also a global security settings file, which overrides whatever is in the individual, per-JVM/JDK files. Editing that file is not an acceptable - in order to run mybatis migrations you'd need to create a security risk for the entire system, for all Java installations.

If I edit the migrate script that's part of the mybatis migrations bundle, and add these parameters to the command at the end that runs the Java migrations application, I can run the migrations. Any other way to change what the migrate script uses fails. There are no command line overrides possible for the migrate script to pass to the Java command.

For running migrations with changed Java security settings using the maven plugin, I have not found any way to make it work. Other maven plugins allow overriding system properties in the plugin's configuration. The only configuration the mybatis migrations plugin allows is the repository.

The problem isn't that the driver doesn't pick the correct java.security settings file. It's that the mybatis migrations, both when used as a maven plugin and when used as a standalone application, don't provide a way to specify custom java security settings, to make it possible to use cipher combinations which are considered unsafe by newer JDKs but are unfortunately still used by major certificate providers. The SHA1 with RSA combination was marked as unsafe and therefore disabled already since 2019, but certificates with that combination of ciphers (certificate signature and key encryption) are still used by managed services on major public clouds.

@hazendaz
Copy link
Member

hazendaz commented Mar 31, 2023 via email

@Anonymous-Coward
Copy link
Author

@hazendaz Has nothing to do with what libs the client (in this case mybatis migrations) uses. If it was a problem of what libraries the client uses, it would still be a mybatis migrations issue - there's nothing on the classpath except what the JVM provides by default and the mybatis migrations standalone jar. But it isn't a problem of libraries, it's a problem of missing functionality.

There is a database on azure which should be updated using mybatis migrations. It's a managed service, so there's nothing anybody except Microsoft can do about what certificates that database uses. That database uses a root CA with an outdated signature algorithm - SHA1 with RSA. It's a managed service - a database provided as a service by Microsoft/Azure where the certificates are provided by Microsoft and can't be changed in any way by users.

The problem I'm trying to get across is that there is no way to tell the mybatis migrate script to use modified security settings other than editing the script itself, and no way whatsoever to do this for the mybatis migrations plugin, except changing Java security settings in a way that affects all Java processes on the machine. This doesn't seem an acceptable way to do it, to me. There should be a way for the migrate script to allow passing -D parameters on the command line to the JVM, and there should be a way to do the same in the maven plugin configuration.

@harawata
Copy link
Member

@Anonymous-Coward ,

If I edit the migrate script that's part of the mybatis migrations bundle, and add these parameters to the command at the end that runs the Java migrations application, I can run the migrations. Any other way to change what the migrate script uses fails. There are no command line overrides possible for the migrate script to pass to the Java command.

In the scripts, the environment variable JAVA_OPTS is passed to the java command, I think.

export JAVA_OPTS="-Djava.security.properties=<custom java security settings file> -Djava.security.disableSystemPropertiesFile=true"

Note that the scripts are generated by appassembler and there seems to be some issue with JAVA_OPTS handling.

For running migrations with changed Java security settings using the maven plugin, I have not found any way to make it work. Other maven plugins allow overriding system properties in the plugin's configuration. The only configuration the mybatis migrations plugin allows is the repository.

I don't know much about maven plugins, but it sounds like a useful feature.
If you send us a PR to https://github.com/mybatis/migrations-maven-plugin, we will review it.
Or, just open a new feature request issue there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants