Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10594

SSL hostname verification fails for SubjectAltNames

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 5.5.50, 10.1.16
    • 10.1.23, 10.2.6
    • SSL
    • None

    Description

      The SSL hostname verification code currently fails to validate server certificates with a SubjectAltName entries.

      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms1.stefany.eu
                      DNS:dbms2.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms2.stefany.eu
                      DNS:dbms1.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms3.stefany.eu
                      DNS:dbms3.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      

      All versions work with (dbms*):

      mysql -h dbms1.stefany.eu -u someuser -p
      

      But none works for:

      mysql -h galera.stefany.eu -u someuser -p
      

      Version 5.5.50 fails to connect as:

      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
      

      while version 10.1.16 fails to connect as:

      ERROR 2003 (HY000): Can't connect to MySQL server on 'galera.stefany.eu' (111 "Connection refused")
      

      or:

      ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 "Connection reset by peer"
      

      Contents of /etc/my.cnf.d/client.cnf would be as follows:

      [...]
      [client]
      ssl-ca=/etc/ipa/ca.crt
      ssl-cipher=TLSv1.2
      ssl-verify-server-cert
      [...]
      

      Attachments

        Issue Links

          Activity

            georg Georg Richter added a comment -

            Patch attached. This will work for OpenSSL versions 1.0.2 and newer (1.0.1 eoled end of 2016). In case we want to fix it also in yassl or for older OpenSSL versions please check OpenSSL wiki

            georg Georg Richter added a comment - Patch attached. This will work for OpenSSL versions 1.0.2 and newer (1.0.1 eoled end of 2016). In case we want to fix it also in yassl or for older OpenSSL versions please check OpenSSL wiki

            I think the return code from X509_check_host is handled wrongly. ssl_verify_server_cert treats only negative return values ("< 0") as valid, but the man page of X509_check_host says 1 is "a successful match". So on a successful match the #else is skipped, the error pointer is set to "SSL certificate validation failure", and the return value ends up being 1 (that is, failure).

            loopsysdev Loop system developers added a comment - I think the return code from X509_check_host is handled wrongly. ssl_verify_server_cert treats only negative return values ("< 0") as valid, but the man page of X509_check_host says 1 is "a successful match". So on a successful match the #else is skipped, the error pointer is set to "SSL certificate validation failure", and the return value ends up being 1 (that is, failure).

            Right. But don't look at the attached patch. This is the actual commit that got into the source tree, it uses

              ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1; 
            

            serg Sergei Golubchik added a comment - Right. But don't look at the attached patch. This is the actual commit that got into the source tree, it uses ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;

            People

              serg Sergei Golubchik
              mstefany Martin Štefany
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.