Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
3.0.8, 3.1.0
-
None
Description
Support for server certificate verification against subjectAltName (SAN) fields was added in the following Jira issues:
This seems to be supported with OpenSSL, Schannel, and GnuTLS.
However, I noticed that C/C does not necessarily check the server's IP address against the subjectAltName (SAN) fields in the certificate. It only checks mysql->host, which can be a host name or an IP address. If the user specifies the server's host as a host name, then I don't believe that C/C will verify the certificate using the server's IP address.
With OpenSSL, it just checks mysql->host:
And with Schannel, it also just checks mysql->host:
And with GnuTLS, it also just checks mysql->host:
I see that the IP address is resolved from the host name here:
Can this IP address be saved somewhere, so that it can be used for the server certificate verification step?
Attachments
Issue Links
- relates to
-
MDEV-19560 Client may not compare IP address to Subject Alternative Name fields for server certificate verification
- Closed
-
CONC-250 SSL hostname verification for SubjectAltNames
- Closed
-
MDEV-10594 SSL hostname verification fails for SubjectAltNames
- Closed
-
MDEV-18131 MariaDB does not verify IP addresses from subject alternative names
- Closed