Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-413

C/C may not compare IP address to Subject Alternative Name fields for server certificate verification

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 3.0.8, 3.1.0
    • 3.3
    • TLS/SSL
    • None

    Description

      Support for server certificate verification against subjectAltName (SAN) fields was added in the following Jira issues:

      This seems to be supported with OpenSSL, Schannel, and GnuTLS.

      However, I noticed that C/C does not necessarily check the server's IP address against the subjectAltName (SAN) fields in the certificate. It only checks mysql->host, which can be a host name or an IP address. If the user specifies the server's host as a host name, then I don't believe that C/C will verify the certificate using the server's IP address.

      With OpenSSL, it just checks mysql->host:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/openssl.c#L814

      And with Schannel, it also just checks mysql->host:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/schannel.c#L440

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/schannel.c#L501

      And with GnuTLS, it also just checks mysql->host:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/gnutls.c#L1427

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/gnutls.c#L1474

      I see that the IP address is resolved from the host name here:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/plugins/pvio/pvio_socket.c#L848

      Can this IP address be saved somewhere, so that it can be used for the server certificate verification step?

      Attachments

        Issue Links

          Activity

            People

              georg Georg Richter
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.