Connection Java - MySQL : Public Key Retrieval is not allowed

java

connection-string-options

mysql-connection

ssl-encryption

byAnton Shumikhin·Feb 2, 2025

To resolve the "Public Key Retrieval is not allowed" error with MySQL connections, append allowPublicKeyRetrieval=true to your JDBC URL. This overcomes blocks preventing Java from accessing the necessary public key. However, use it with consideration due to potential security vulnerabilities. Here's how to modify the URL:

String url = "jdbc:mysql://localhost:3306/db?allowPublicKeyRetrieval=true";
// Life's too short for random database errors, isn't it?
Connection conn = DriverManager.getConnection(url, "user", "pass");

Replace db, user, and pass with your specific values. While not an ultimate solution, it's a useful workaround. For superior security, especially for production deployments, update your MySQL SSL configuration and the client's trust store.

Decrypting Public Key Retrieval

The allowPublicKeyRetrieval flag is like a VIP pass allowing MySQL drivers to fetch the RSA public key necessary for secure SHA-256 password exchanges. Beware though, this open door could invite unwanted guests (read: attackers) to the party.

Safeguard your Castle (Development Best Practices)

Partnering allowPublicKeyRetrieval=true with useSSL=false may be like throwing a great open-door party during development, just don't let the party extend to production. Here's your security checklist:

Secure the portcullis (Enable SSL): Activate SSL encryption with useSSL=true and make sure your MySQL server is fitted with the right SSL certificates.
Trust but Verify (Certificate Validation): Ensure your Java app validates the MySQL server's SSL certificate to ward off potential attackers.
Password Protocol: If needed, switch the user's authentication protocol to mysql_native_password, though newer protocols offer enhanced security.

Sparkling Production-ready JDBC URL

For production, your JDBC URL should look something like this:

String prodUrl = "jdbc:mysql://your_production_host:3306/db?allowPublicKeyRetrieval=true&useSSL=true";
// Like fine wine, things get better with time. So does your MySQL URL
Connection prodConn = DriverManager.getConnection(prodUrl, "prodUser", "prodPass");

Update placeholder values with your real-world ones to make them truly yours!

Dance with DBeaver (GUI-based settings)

If you're someone who prefers a GUI tool like DBeaver, updating your connection settings is a breeze:

Head over to "Driver properties" and browse through the list of customizable settings.
Double-click on a setting value to change it. Look out for allowPublicKeyRetrieval and useSSL.
If you're working locally without SSL, you can uncheck "Verify server certificate" under properties.

Remember, maintain your production discipline, and revert any insecure settings before deploying.

Don’t get Tripped (Troubleshooting)

The path to allowPublicKeyRetrieval=true isn't always straightforward. Be on the lookout for these common tripping points:

Database and User Credentials: The database name, username, and password in your URL should be correct.
Server and Port Configuration: Are you connecting to the right host? Is your MySQL server running on the expected port (usually 3306)?
Timezone Settings: The server and the client should agree on the timezone to avoid any unwelcome surprises.

Deep Dive into Connection Guidance

Facing other complex connection issues? MySQL's exhaustive .NET Connection String Options guide is your friend here. It contains a flurry of parameters to help you tailor your connection properties, cater to uncommon needs, or troubleshoot tricky scenarios.

explain-codes / Java / Connection Java - MySQL : Public Key Retrieval is not allowed

Linked

How do I find out what keystore my JVM is using?



Import PEM into Java Key Store



Accept server's self-signed SSL certificate in Java client



How to encrypt String in Java



Com.jcraft.jsch.jschexception: UnknownHostKey

