Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-360

Support equivalent of ssl_mode=VERIFY_CA / disableSslHostnameVerification

Details

    • Bug
    • Status: Closed (View Workflow)
    • Minor
    • Resolution: Won't Fix
    • None
    • N/A
    • TLS/SSL
    • None

    Description

      Currently it seems both CA verification and hostname verification are guarded being the ssl_verify_server_cert option, so an application cannot verify the CA independently of hostname verification.

      So this is a feature request to be able to disable hostname verification while still being able to perform peer certificate verification. This is akin to ssl_mode=VERIFY_CA or perhaps the MariaDB connector/j's disableSslHostnameVerification option. In some environments the subject names on a certificate are not terribly interesting, but we would like the client to verify the server's certificate against some provided CA which seems impossible today when using the MariaDB Connector/C.

      Attachments

        Issue Links

          Activity

            As far as I understand, not verifying the hostname opens you to MitM attacks. A man in the middle can replace the certificate with a valid but different certificate and decrypt all the traffic. Basically, verifying only the CA without the hostname is as safe as not verifying anything at all.

            serg Sergei Golubchik added a comment - As far as I understand, not verifying the hostname opens you to MitM attacks. A man in the middle can replace the certificate with a valid but different certificate and decrypt all the traffic. Basically, verifying only the CA without the hostname is as safe as not verifying anything at all.

            People

              georg Georg Richter
              andrew.garner Andrew Garner
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.