Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10594

SSL hostname verification fails for SubjectAltNames

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 5.5.50, 10.1.16
    • 10.1.23, 10.2.6
    • SSL
    • None

    Description

      The SSL hostname verification code currently fails to validate server certificates with a SubjectAltName entries.

      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms1.stefany.eu
                      DNS:dbms2.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms2.stefany.eu
                      DNS:dbms1.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      $ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
              Issuer: O=STEFANY.EU, CN=Certificate Authority
              Subject: O=STEFANY.EU, CN=dbms3.stefany.eu
                      DNS:dbms3.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
      

      All versions work with (dbms*):

      mysql -h dbms1.stefany.eu -u someuser -p
      

      But none works for:

      mysql -h galera.stefany.eu -u someuser -p
      

      Version 5.5.50 fails to connect as:

      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
      

      while version 10.1.16 fails to connect as:

      ERROR 2003 (HY000): Can't connect to MySQL server on 'galera.stefany.eu' (111 "Connection refused")
      

      or:

      ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 "Connection reset by peer"
      

      Contents of /etc/my.cnf.d/client.cnf would be as follows:

      [...]
      [client]
      ssl-ca=/etc/ipa/ca.crt
      ssl-cipher=TLSv1.2
      ssl-verify-server-cert
      [...]
      

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              mstefany Martin Štefany
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.