Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-10973

X509 verification fails

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 5.5(EOL), 10.0(EOL), 10.1(EOL), 10.2(EOL)
    • 10.2(EOL)
    • SSL
    • None

    Description

      X509 verification for subject and issuer is broken:

      1) If the client certificate contains utf8-chars (e.g. '/DC=com/L=Москва/DC=example/CN=client')
      verification fails due to use of the function 

      X509_name_oneline

      .

      Quote from X509_name_oneline() manpage:
      "The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

      2. Verification fails if e.g. attribute in cert is in lower case, while it was specified in uppercase with GRANT before (see RFC 5280)

      3. Verification fails, if there additional attributes in the certificates:

      GRANT ....  REQUIRE ISSUER ISSUER "/CN=cacert/C=FI/ST=Helsinki/O=MariaDB"

      but certificate has an additional locality, verification fails, e.g.

       /CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB

      Attachments

        Issue Links

          links to

          Web Link RFC 5280

          Activity

            People

              georg Georg Richter
              georg Georg Richter
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.