Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-447

ERROR 2026 (HY000): SSL connection error: Certificate signature check failed

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 3.1.5
    • 3.1.6
    • None
    • None

    Description

      https://github.com/HeidiSQL/HeidiSQL/issues/330
      also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as
      "When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca=

      {filepath}

      parameters with --ssl."

      SSL certificate chain validation and revocation list handling in Schannel are broken.
      --ssl-ca and --ssl-crl do not work as expected in Schannel.

      The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file.

      What other guys are doing (ex. curl and mongodb) - they load all CA certificates and all CRL entries into chain specific memory store, and validate certificate against the store.

      Attachments

        Activity

          People

            wlad Vladislav Vaintroub
            wlad Vladislav Vaintroub
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.