Coding with Titans

Recently I had some problems connecting with DataGrip to my Microsoft SQL Server 2012 instance provided as part of purchased web hosting plan.

By some reason my connection was always rejected with following error message:

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”.

Microsoft’s documentation (available here) turned out to be very helpful. According to it, the initialization is always encrypted with JBDC and I actually should focus on encrypt and trustServerCertificate parameters, setting both to ‘true’. In this configuration client-side (my tool), was expecting SSL traffic and had disabled any checks done over the certificate itself.

Partial success, for now the error message got changed to:

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “java.security.cert.CertificateException: Certificates do not conform to algorithm constraints”.

This lead to a conclusion that the certificate is invalid in more ways. Little help from stackoverflow.com revealed it might be so old that the latest Java 8 OpenJDK had put it on blacklist due to weaknesses and vulnerabilities of used MD5 signatures. Brutal and effective patch is then restored it back and whitelist ;-)

Edit file: %ProgramFiles%\JetBrains\DataGrip 2017.1.5\jre64\lib\security\java.security

and remove MD5 and MD5withRSA

from those two variables: jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithms.

Now, connection succeeded and we are ready to play with the database.

You are right. At this point I should stop and let them know about the issue and ask about certificate upgrade. Thanks.