Can't establish TLS connection when enable server cert check in AWS Lambda

[zhangyangyu]

Describe the bug

When trying to connect to a MySQL server using MySQL Connector/J 8.0.29 using TLS connection like:

sslMode=VERIFY_IDENTITY&enabledTLSProtocols=TLSv1.2,TLSv1.3

it throws:

12:16:00.802 [main] ERROR org.custom.connector.jdbc.client.MySQLClient - URI: jdbc:mysql://[gateway01.us-west-2.prod.aws.tidbcloud.com:4000/test?user=HZ5E7ifaDEjJTsh.root&password=wqz1994625&sslMode=VERIFY_IDENTITY&enabledTLSProtocols=TLSv1.2,TLSv1.3](http://gateway01.us-west-2.prod.aws.tidbcloud.com:4000/test?user=HZ5E7ifaDEjJTsh.root&password=wqz1994625&sslMode=VERIFY_IDENTITY&enabledTLSProtocols=TLSv1.2,TLSv1.3)
12:16:01.823 [main] ERROR org.custom.connector.jdbc.client.MySQLClient - SQLException: Cannot open file:/etc/pki/java/cacerts [Keystore was tampered with, or password was incorrect]

To Reproduce

Just connect to a MySQL Server enables TLS using the settings above.
You can also check template https://github.com/pingcap-inc/tidb-appflow-integration/blob/main/template.yml#L11.

Expected behavior

OpenJDK will use the default truststore if user don't supply any truststore configuretion. And seems corretto also tries to do so but something weird happens. It cannot open the path /etc/pki/java/cacerts in Lambda.

Screenshots

If applicable, add screenshots to help explain your problem.

Platform information

OS: [e.g. Amazon Linux 2]
Version [e.g. "11.0.1+13-1" (output from "java -version")]

Additional context

Actually, last year, a same bug is reported corretto/corretto-8#320, it is closed as there is a "solution". But I can't agree. Although setting sslMode=REQUIRED could establish connection successfully, but it won't check the server's cert or even host name. This is not what I want and expose users to MITM problems.

[navyxliu]

hi, @zhangyangyu ,
I think your question is more like how to use lambda java runtime rather than Correto.
I will try to seek helps from colleagues who are familiar with this domain. stay tuned.