[MDEV-10594] SSL hostname verification fails for SubjectAltNames - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.5.50, 10.1.16
Fix Version/s: 10.1.23, 10.2.6
Component/s: SSL
Labels:
None

Description

The SSL hostname verification code currently fails to validate server certificates with a SubjectAltName entries.

$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN

        Issuer: O=STEFANY.EU, CN=Certificate Authority

        Subject: O=STEFANY.EU, CN=dbms1.stefany.eu

                DNS:dbms2.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>

$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN

        Issuer: O=STEFANY.EU, CN=Certificate Authority

        Subject: O=STEFANY.EU, CN=dbms2.stefany.eu

                DNS:dbms1.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>

$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN

        Issuer: O=STEFANY.EU, CN=Certificate Authority

        Subject: O=STEFANY.EU, CN=dbms3.stefany.eu

                DNS:dbms3.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>

All versions work with (dbms*):

mysql -h dbms1.stefany.eu -u someuser -p

But none works for:

mysql -h galera.stefany.eu -u someuser -p

Version 5.5.50 fails to connect as:

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

while version 10.1.16 fails to connect as:

ERROR 2003 (HY000): Can't connect to MySQL server on 'galera.stefany.eu' (111 "Connection refused")

or:

ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 "Connection reset by peer"

Contents of /etc/my.cnf.d/client.cnf would be as follows:

[...]

[client]

ssl-ca=/etc/ipa/ca.crt

ssl-cipher=TLSv1.2

ssl-verify-server-cert

[...]

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDEV_10594.patch
2017-01-24 15:22
2 kB
Georg Richter

Issue Links

includes

MDEV-13102 “SSL certificate validation failure” when verifying wildcard server certificate

Closed

relates to

CONC-413 C/C may not compare IP address to Subject Alternative Name fields for server certificate verification

Open

MDEV-19560 Client may not compare IP address to Subject Alternative Name fields for server certificate verification

Closed

CONC-250 SSL hostname verification for SubjectAltNames

Closed

MDEV-18131 MariaDB does not verify IP addresses from subject alternative names

Closed

MDEV-18277 Client can't validate server certificate if SAN name used.

Closed

(1 relates to)

Activity

Ascending order - Click to sort in descending order

Georg Richter added a comment - 2017-01-24 15:28

Patch attached. This will work for OpenSSL versions 1.0.2 and newer (1.0.1 eoled end of 2016). In case we want to fix it also in yassl or for older OpenSSL versions please check OpenSSL wiki

Georg Richter added a comment - 2017-01-24 15:28 Patch attached. This will work for OpenSSL versions 1.0.2 and newer (1.0.1 eoled end of 2016). In case we want to fix it also in yassl or for older OpenSSL versions please check OpenSSL wiki

Loop system developers added a comment - 2017-06-16 13:43

I think the return code from X509_check_host is handled wrongly. ssl_verify_server_cert treats only negative return values ("< 0") as valid, but the man page of X509_check_host says 1 is "a successful match". So on a successful match the #else is skipped, the error pointer is set to "SSL certificate validation failure", and the return value ends up being 1 (that is, failure).

Loop system developers added a comment - 2017-06-16 13:43 I think the return code from X509_check_host is handled wrongly. ssl_verify_server_cert treats only negative return values ("< 0") as valid, but the man page of X509_check_host says 1 is "a successful match". So on a successful match the #else is skipped, the error pointer is set to "SSL certificate validation failure", and the return value ends up being 1 (that is, failure).

Sergei Golubchik added a comment - 2017-06-19 09:56

Right. But don't look at the attached patch. This is the actual commit that got into the source tree, it uses

  ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;

Sergei Golubchik added a comment - 2017-06-19 09:56 Right. But don't look at the attached patch. This is the actual commit that got into the source tree, it uses ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;

People

Assignee:: Sergei Golubchik

Reporter:: Martin Štefany

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2016-08-18 19:06

Updated:: 2019-05-22 21:59

Resolved:: 2017-04-27 18:54

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration