Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
3.1.5
-
None
-
None
Description
https://github.com/HeidiSQL/HeidiSQL/issues/330
also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as
"When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca=
parameters with --ssl."
SSL certificate chain validation and revocation list handling in Schannel are broken.
--ssl-ca and --ssl-crl do not work as expected in Schannel.
The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file.
What other guys are doing (ex. curl and mongodb) - they load all CA certificates and all CRL entries into chain specific memory store, and validate certificate against the store.
Attachments
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
--ssl-ca and --ssl-crl do not work as expected in Schannel.
The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) -the create a chain engine, load all CA certificates and all CRL entries into chain specific store, and validate against the store. |
SSL certificate chain validation and revocation list handling in Schannel are broken.
--ssl-ca and --ssl-crl do not work as expected in Schannel. The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) -the create a chain engine, load all CA certificates and all CRL entries into chain specific store, and validate against the store. |
| Summary | SSL certificate chain validation and revocation list handling in Schannel are broken. | ERROR 2026 (HY000): SSL connection error: Certificate signature check failed |
| Description |
SSL certificate chain validation and revocation list handling in Schannel are broken.
--ssl-ca and --ssl-crl do not work as expected in Schannel. The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) -the create a chain engine, load all CA certificates and all CRL entries into chain specific store, and validate against the store. |
https://github.com/HeidiSQL/HeidiSQL/issues/330 SSL certificate chain validation and revocation list handling in Schannel are broken. --ssl-ca and --ssl-crl do not work as expected in Schannel. The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) -the create a chain engine, load all CA certificates and all CRL entries into chain specific store, and validate against the store. |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| Description |
https://github.com/HeidiSQL/HeidiSQL/issues/330 SSL certificate chain validation and revocation list handling in Schannel are broken. --ssl-ca and --ssl-crl do not work as expected in Schannel. The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) -the create a chain engine, load all CA certificates and all CRL entries into chain specific store, and validate against the store. |
https://github.com/HeidiSQL/HeidiSQL/issues/330
also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as "When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca={filepath} parameters with --ssl." SSL certificate chain validation and revocation list handling in Schannel are broken. --ssl-ca and --ssl-crl do not work as expected in Schannel. The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) -the create a chain engine, load all CA certificates and all CRL entries into chain specific store, and validate against the store. |
| Description |
https://github.com/HeidiSQL/HeidiSQL/issues/330
also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as "When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca={filepath} parameters with --ssl." SSL certificate chain validation and revocation list handling in Schannel are broken. --ssl-ca and --ssl-crl do not work as expected in Schannel. The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) -the create a chain engine, load all CA certificates and all CRL entries into chain specific store, and validate against the store. |
https://github.com/HeidiSQL/HeidiSQL/issues/330
also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as "When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca={filepath} parameters with --ssl." SSL certificate chain validation and revocation list handling in Schannel are broken. --ssl-ca and --ssl-crl do not work as expected in Schannel. The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file. What other guys are doing (ex. curl and mongodb) - they load all CA certificates and all CRL entries into chain specific memory store, and validate certificate against the store. |
| Affects Version/s | 3.1.5 [ 24016 ] |
| Fix Version/s | 3.1 [ 23223 ] |
| Fix Version/s | 3.1.6 [ 24033 ] | |
| Fix Version/s | 3.1 [ 23223 ] |
| issue.field.resolutiondate | 2019-12-08 17:30:42.0 | 2019-12-08 17:30:42.399 |
| Resolution | Fixed [ 1 ] | |
| Status | Open [ 1 ] | Closed [ 6 ] |
| Workflow | MariaDB connectors [ 101568 ] | MariaDB v4 [ 161191 ] |