Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10594

SSL hostname verification fails for SubjectAltNames

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.50, 10.1.16
    • Fix Version/s: 10.1.23, 10.2.6
    • Component/s: SSL
    • Labels:
      None

      Description

      The SSL hostname verification code currently fails to validate server certificates with a SubjectAltName entries.

      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms1.stefany.eu
                      DNS:dbms2.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms2.stefany.eu
                      DNS:dbms1.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms3.stefany.eu
                      DNS:dbms3.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      

      All versions work with (dbms*):

      mysql -h dbms1.stefany.eu -u someuser -p
      

      But none works for:

      mysql -h galera.stefany.eu -u someuser -p
      

      Version 5.5.50 fails to connect as:

      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
      

      while version 10.1.16 fails to connect as:

      ERROR 2003 (HY000): Can't connect to MySQL server on 'galera.stefany.eu' (111 "Connection refused")
      

      or:

      ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 "Connection reset by peer"
      

      Contents of /etc/my.cnf.d/client.cnf would be as follows:

      [...]
      [client]
      ssl-ca=/etc/ipa/ca.crt
      ssl-cipher=TLSv1.2
      ssl-verify-server-cert
      [...]
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              mstefany Martin Štefany
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: