Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5.50, 10.1.16
-
None
Description
The SSL hostname verification code currently fails to validate server certificates with a SubjectAltName entries.
$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
|
Issuer: O=STEFANY.EU, CN=Certificate Authority
|
Subject: O=STEFANY.EU, CN=dbms1.stefany.eu
|
DNS:dbms2.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
|
$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
|
Issuer: O=STEFANY.EU, CN=Certificate Authority
|
Subject: O=STEFANY.EU, CN=dbms2.stefany.eu
|
DNS:dbms1.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
|
$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
|
Issuer: O=STEFANY.EU, CN=Certificate Authority
|
Subject: O=STEFANY.EU, CN=dbms3.stefany.eu
|
DNS:dbms3.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
|
All versions work with (dbms*):
mysql -h dbms1.stefany.eu -u someuser -p
|
But none works for:
mysql -h galera.stefany.eu -u someuser -p
|
Version 5.5.50 fails to connect as:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
|
while version 10.1.16 fails to connect as:
ERROR 2003 (HY000): Can't connect to MySQL server on 'galera.stefany.eu' (111 "Connection refused")
|
or:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 "Connection reset by peer"
|
Contents of /etc/my.cnf.d/client.cnf would be as follows:
[...]
|
[client]
|
ssl-ca=/etc/ipa/ca.crt
|
ssl-cipher=TLSv1.2
|
ssl-verify-server-cert
|
[...]
|
Attachments
Issue Links
- includes
-
MDEV-13102 “SSL certificate validation failure” when verifying wildcard server certificate
-
- Closed
-
- relates to
-
CONC-413 C/C may not compare IP address to Subject Alternative Name fields for server certificate verification
-
- Open
-
-
MDEV-19560 Client may not compare IP address to Subject Alternative Name fields for server certificate verification
-
- Closed
-
-
CONC-250 SSL hostname verification for SubjectAltNames
-
- Closed
-
-
MDEV-18131 MariaDB does not verify IP addresses from subject alternative names
-
- Closed
-
-
MDEV-18277 Client can't validate server certificate if SAN name used.
-
- Closed
-
Patch attached. This will work for OpenSSL versions 1.0.2 and newer (1.0.1 eoled end of 2016). In case we want to fix it also in yassl or for older OpenSSL versions please check OpenSSL wiki