Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Won't Fix
-
None
-
None
Description
Currently it seems both CA verification and hostname verification are guarded being the ssl_verify_server_cert option, so an application cannot verify the CA independently of hostname verification.
So this is a feature request to be able to disable hostname verification while still being able to perform peer certificate verification. This is akin to ssl_mode=VERIFY_CA or perhaps the MariaDB connector/j's disableSslHostnameVerification option. In some environments the subject names on a certificate are not terribly interesting, but we would like the client to verify the server's certificate against some provided CA which seems impossible today when using the MariaDB Connector/C.
Attachments
Issue Links
- relates to
-
MDEV-28634 Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible
-
- Closed
-
- links to
As far as I understand, not verifying the hostname opens you to MitM attacks. A man in the middle can replace the certificate with a valid but different certificate and decrypt all the traffic. Basically, verifying only the CA without the hostname is as safe as not verifying anything at all.