Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-712

MariaDB client requires SSL issued for DNS:localhost to connect through socket

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 3.4
    • 3.4.2
    • TLS/SSL
    • None
    • Ubuntu 22.04 / Rocky Linux 9

    Description

      MariaDB client fails with error when it tries to connect to the MariaDB server as a root user through the socket:

      # mariadb --socket=/var/run/mysqld/mysqld.sock
      ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
      #
      

      The only 2 ways to overcome this so far, is either include "DNS:localhost" to the certificate Subject or Subject Alternative Name list, or supply --skip-ssl-verify-server-cert to the client:

      # mariadb --skip-ssl-verify-server-cert --socket=/var/run/mysqld/mysqld.sock
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 52
      Server version: 11.4.2-MariaDB-ubu2204-log mariadb.org binary distribution
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> SHOW PROCESSLIST;
      +----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
      | Id | User        | Host      | db   | Command | Time | State              | Info             | Progress |
      +----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
      |  1 | system user |           | NULL | Sleep   |  367 | wsrep aborter idle | NULL             |    0.000 |
      |  2 | system user |           | NULL | Sleep   |  367 |                    | NULL             |    0.000 |
      |  8 | system user |           | NULL | Sleep   |  366 | wsrep applier idle | NULL             |    0.000 |
      | 52 | root        | localhost | NULL | Query   |    0 | starting           | SHOW PROCESSLIST |    0.000 |
      +----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
      4 rows in set (0.001 sec)
       
      MariaDB [(none)]> 
      

      However, second part is slightly more tricky on Debian, since debian-start script still uses /etc/mysql/debian.cnf for a service startup.
      So basically after installation mariadb service fails to startup due to the same issue caused by debian-start:

      Jul 10 12:56:11 aio1-galera-container-6507f4ff systemd[1]: Started MariaDB 11.4.2 database server.
      Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3799]: Upgrading MySQL tables if necessary.
      Jul 10 12:56:11 aio1-galera-container-6507f4ff mariadbd[3775]: 2024-07-10 12:56:11 10 [Warning] Aborted connection 10 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
      Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: Reading datadir from the MariaDB server failed. Got the following error when executing the 'mysql' command line client
      Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
      Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3802]: FATAL ERROR: Upgrade failed
      Jul 10 12:56:11 aio1-galera-container-6507f4ff /etc/mysql/debian-start[3808]: Checking for insecure root accounts.
      Jul 10 12:56:12 aio1-galera-container-6507f4ff debian-start[3811]: ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed
      Jul 10 12:56:12 aio1-galera-container-6507f4ff mariadbd[3775]: 2024-07-10 12:56:12 11 [Warning] Aborted connection 11 to db: 'unconnected' user: 'unauthenticated' host: 'localhost' (This connection closed normally without authentication)
      

      With that certificate is issued as following:

      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number:
                  38:3f:74:b2:e5:7d:40:55:17:c8:1c:75:89:c7:4e:5d:6d:4b:f3:56
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: C = GB, ST = England, CN = Example Corp Openstack Infrastructure Intermediate CA
              Validity
                  Not Before: Jul 10 12:48:25 2024 GMT
                  Not After : Jul  8 12:48:25 2034 GMT
              Subject: CN = aio1-galera-container-6507f4ff
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      Public-Key: (4096 bit)
                      Modulus:
                          ...
                      Exponent: 65537 (0x10001)
              X509v3 extensions:
                  X509v3 Subject Alternative Name: 
                      DNS:aio1-galera-container-6507f4ff, IP Address:172.29.236.101, IP Address:172.29.236.102
                  X509v3 Subject Key Identifier: 
                      D4:36:68:9B:62:A5:DE:DC:0B:8A:43:DC:E5:3B:E5:5B:E7:06:D4:4F
                  X509v3 Authority Key Identifier: 
                      2F:51:75:41:49:74:B2:81:B3:84:FB:FE:26:F4:09:DD:AB:09:D8:04
          Signature Algorithm: sha256WithRSAEncryption
          Signature Value:
              ...
      

      In case I add "DNS:localhost" to the SAN - client stops failing to connect:

      /# openssl x509 -in /etc/ssl/certs/galera.pem -noout -text
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number:
                  18:c7:e5:24:3b:ec:83:28:2d:19:8f:79:90:f7:a2:04:f1:d7:7f:1f
              Signature Algorithm: sha256WithRSAEncryption
              Issuer: C = GB, ST = England, CN = Example Corp Openstack Infrastructure Intermediate CA
              Validity
                  Not Before: Jul 10 13:04:14 2024 GMT
                  Not After : Jul  8 13:04:14 2034 GMT
              Subject: CN = aio1-galera-container-6507f4ff
              Subject Public Key Info:
                  Public Key Algorithm: rsaEncryption
                      Public-Key: (4096 bit)
                      Modulus:
                          ...
                      Exponent: 65537 (0x10001)
              X509v3 extensions:
                  X509v3 Subject Alternative Name: 
                      DNS:aio1-galera-container-6507f4ff, IP Address:172.29.236.101, DNS:localhost, IP Address:172.29.236.102
                  X509v3 Subject Key Identifier: 
                      AB:04:32:1C:20:3E:96:6F:55:EA:C0:F6:D2:48:E8:DE:C3:66:5E:5E
                  X509v3 Authority Key Identifier: 
                      2F:51:75:41:49:74:B2:81:B3:84:FB:FE:26:F4:09:DD:AB:09:D8:04
          Signature Algorithm: sha256WithRSAEncryption
          Signature Value:
              ...
      # root@aio1-galera-container-6507f4ff:/# mariadb --socket=/var/run/mysqld/mysqld.sock
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 45
      Server version: 11.4.2-MariaDB-ubu2204-log mariadb.org binary distribution
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> SHOW VARIABLES LIKE 'have_ssl';
      +---------------+-------+
      | Variable_name | Value |
      +---------------+-------+
      | have_ssl      | YES   |
      +---------------+-------+
      1 row in set (0.001 sec)
       
      MariaDB [(none)]> SHOW SESSION STATUS LIKE 'Ssl_cipher';
      +---------------+------------------------+
      | Variable_name | Value                  |
      +---------------+------------------------+
      | Ssl_cipher    | TLS_AES_256_GCM_SHA384 |
      +---------------+------------------------+
      1 row in set (0.001 sec)
       
      MariaDB [(none)]> SHOW PROCESSLIST;
      +----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
      | Id | User        | Host      | db   | Command | Time | State              | Info             | Progress |
      +----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
      |  1 | system user |           | NULL | Sleep   |  167 |                    | NULL             |    0.000 |
      |  2 | system user |           | NULL | Sleep   |  167 | wsrep aborter idle | NULL             |    0.000 |
      |  7 | system user |           | NULL | Sleep   |  166 | wsrep applier idle | NULL             |    0.000 |
      | 45 | root        | localhost | NULL | Query   |    0 | starting           | SHOW PROCESSLIST |    0.000 |
      +----+-------------+-----------+------+---------+------+--------------------+------------------+----------+
      4 rows in set (0.000 sec)
       
      MariaDB [(none)]>
      

      Please, let me know if you're interested in some configuration options.

      Attachments

        Issue Links

          Activity

            I see, your certificates are installed in a system-wide trusted cert store. unix socket connections ignore the "self-signed certificate" error, but not other errors.

            But I suppose it makes sense to ignore host mistmatch error as well, if the connection uses unix socket (or other secure transport, as defined in the source code, e.g. named pipes).

            serg Sergei Golubchik added a comment - I see, your certificates are installed in a system-wide trusted cert store. unix socket connections ignore the "self-signed certificate" error, but not other errors. But I suppose it makes sense to ignore host mistmatch error as well, if the connection uses unix socket (or other secure transport, as defined in the source code, e.g. named pipes).

            Well, our RootCA is indeed installed in a system-wide store. But even if we are to provide valid TLS certificates, not self-signed one, there's kind of almost no way to get them working today, without issuing them for "DNS:localhost".
            And if you're to use any ACME - I don't think it would be even possible to do anything like that.

            So in "real world" it's less likely to get "self-signed" error (unless end-user don't care about certificates at all), but very likely to get a hostname missmatch, as issuing certificate for "localhost" is extremely confusing.

            noonedeadpunk Dmitriy Rabotyagov added a comment - Well, our RootCA is indeed installed in a system-wide store. But even if we are to provide valid TLS certificates, not self-signed one, there's kind of almost no way to get them working today, without issuing them for "DNS:localhost". And if you're to use any ACME - I don't think it would be even possible to do anything like that. So in "real world" it's less likely to get "self-signed" error (unless end-user don't care about certificates at all), but very likely to get a hostname missmatch, as issuing certificate for "localhost" is extremely confusing.

            that's why the bug is confirmed and assigned, and we hope to get it fixed in the next release

            serg Sergei Golubchik added a comment - that's why the bug is confirmed and assigned, and we hope to get it fixed in the next release

            Ah, ok, thanks a lot for taking time on this one. Having it targeted for the next release is especially nice!

            noonedeadpunk Dmitriy Rabotyagov added a comment - Ah, ok, thanks a lot for taking time on this one. Having it targeted for the next release is especially nice!

            Hey,

            Sorry, can I ask for any progress on this issue? As we hoped to be able to perform upgrades to 11.4, though this is kind of a blocker at the moment.
            So was wondering if it's anywhere in a roadmap or not yet?

            noonedeadpunk Dmitriy Rabotyagov added a comment - Hey, Sorry, can I ask for any progress on this issue? As we hoped to be able to perform upgrades to 11.4, though this is kind of a blocker at the moment. So was wondering if it's anywhere in a roadmap or not yet?

            Yes, definitely. I've bumped the related MDEV-34730 to Blocker so now it blocks the release, and we won't release until it's fixed

            serg Sergei Golubchik added a comment - Yes, definitely. I've bumped the related MDEV-34730 to Blocker so now it blocks the release, and we won't release until it's fixed
            georg Georg Richter added a comment -

            Fixed in rev dfdf3f7557670ba0c2195af656ddf916b067cfab

            georg Georg Richter added a comment - Fixed in rev dfdf3f7557670ba0c2195af656ddf916b067cfab

            People

              georg Georg Richter
              noonedeadpunk Dmitriy Rabotyagov
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.