[MDEV-10973] X509 verification fails - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 5.5, 10.0, 10.1, 10.2
Fix Version/s: 10.2
Component/s: SSL
Labels:
None

Description

X509 verification for subject and issuer is broken:

1) If the client certificate contains utf8-chars (e.g. '/DC=com/L=Москва/DC=example/CN=client')
verification fails due to use of the function

X509_name_oneline

Quote from X509_name_oneline() manpage:
"The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

2. Verification fails if e.g. attribute in cert is in lower case, while it was specified in uppercase with GRANT before (see RFC 5280)

3. Verification fails, if there additional attributes in the certificates:

GRANT ....  REQUIRE ISSUER ISSUER "/CN=cacert/C=FI/ST=Helsinki/O=MariaDB"

but certificate has an additional locality, verification fails, e.g.

 /CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB

Attachments

Issue Links

links to

RFC 5280

Activity

People

Assignee:: Georg Richter

Reporter:: Georg Richter

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2016-10-07 05:59

Updated:: 2017-06-27 13:41

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.