Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-447

ERROR 2026 (HY000): SSL connection error: Certificate signature check failed

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.1.5
    • Fix Version/s: 3.1.6
    • Labels:
      None

      Description

      https://github.com/HeidiSQL/HeidiSQL/issues/330
      also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as
      "When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca=

      {filepath}

      parameters with --ssl."

      SSL certificate chain validation and revocation list handling in Schannel are broken.
      --ssl-ca and --ssl-crl do not work as expected in Schannel.

      The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file.

      What other guys are doing (ex. curl and mongodb) - they load all CA certificates and all CRL entries into chain specific memory store, and validate certificate against the store.

        Attachments

          Activity

            People

            Assignee:
            wlad Vladislav Vaintroub
            Reporter:
            wlad Vladislav Vaintroub
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: