Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-413

C/C may not compare IP address to Subject Alternative Name fields for server certificate verification

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 3.0.8, 3.1.0
    • 3.3
    • None
    • None

    Description

      Support for server certificate verification against subjectAltName (SAN) fields was added in the following Jira issues:

      This seems to be supported with OpenSSL, Schannel, and GnuTLS.

      However, I noticed that C/C does not necessarily check the server's IP address against the subjectAltName (SAN) fields in the certificate. It only checks mysql->host, which can be a host name or an IP address. If the user specifies the server's host as a host name, then I don't believe that C/C will verify the certificate using the server's IP address.

      With OpenSSL, it just checks mysql->host:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/openssl.c#L814

      And with Schannel, it also just checks mysql->host:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/schannel.c#L440

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/schannel.c#L501

      And with GnuTLS, it also just checks mysql->host:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/gnutls.c#L1427

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/libmariadb/secure/gnutls.c#L1474

      I see that the IP address is resolved from the host name here:

      https://github.com/MariaDB/mariadb-connector-c/blob/b50871611764d282874ad095d6c021163d1fe354/plugins/pvio/pvio_socket.c#L848

      Can this IP address be saved somewhere, so that it can be used for the server certificate verification step?

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-19560 Client may not compare IP address to Subject Alternative Name fields for server certificate verification

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. CONC-250 SSL hostname verification for SubjectAltNames

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10594 SSL hostname verification fails for SubjectAltNames

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18131 MariaDB does not verify IP addresses from subject alternative names

          • Major - Major loss of function.
          • Closed

          Activity

            People

              georg Georg Richter
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.