Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-13102

“SSL certificate validation failure” when verifying wildcard server certificate

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 5.5.52
    • 10.1.23
    • SSL
    • None
    • CentOS 7, Linux 3.10.0-514.21.1.el7.x86_64

    Description

      Source

      I've been trying to move from using a self-signed certificate to using a wildcard certificate from a well-known CA to reduce maintenance overhead and improve security. The certificate has already been in use for months on test servers. The setup is working well enough that I can do the following (domain name anonymised):

      mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl

      This connects successfully after providing the password. However, when I try to actually verify the certificate Common Name it fails:

      $ mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl --ssl-verify-server-cert
      		 
      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

      After compiling MariaDB 5.5 using 

      cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSL=yes

      and running the client with 

      --debug

      I get the following trace log (trimmed):

      mysql_real_connect: info: Connecting
      		 
      mysql_real_connect: info: net->vio: 0x0  protocol: 0
      		 
      mysql_real_connect: info: Server name: 'host.example-dot-com-equivalent-for.co.uk'.  TCP sock: 3306
      		 
      mysql_real_connect: info: IP 'client'
      		 
      mysql_real_connect: info: IPV6 getaddrinfo host.example-dot-com-equivalent-for.co.uk
      		 
      mysql_real_connect: info: Try connect on all addresses for host.
      		 
      mysql_real_connect: info: Create socket, family: 2  type: 1  proto: 6
      		 
      mysql_real_connect: info: Connect socket
      		 
      mysql_real_connect: info: End of connect attempts, sock: 4  status: 0  error: 0
      		 
      mysql_real_connect: info: net->vio: 0x263c540
      		 
      mysql_real_connect: info: Read first packet.
      		 
      mysql_real_connect: info: mysql protocol version 10, server=10
      		 
      get_charsets_dir: info: charsets dir: '/usr/local/mysql/share/charsets/'
      		 
      my_stat: error: Got errno: 2 from stat
      		 
      run_plugin_auth: info: using plugin mysql_native_password
      		 
      native_password_auth_client: info: no password
      		 
      native_password_auth_client: info: IO layer change in progress...
      		 
      ssl_do: info: ssl: 0x2823e50 timeout: 0
      		 
      ssl_do: info: SSL connection succeeded
      		 
      ssl_do: info: Using cipher: 'AES256-GCM-SHA384'
      		 
      ssl_do: info: Peer certificate:
      		 
      ssl_do: info: 	 subject: '/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.example-dot-com-equivalent-for.co.uk'
      		 
      ssl_do: info: 	 issuer: '/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2'
      		 
      ssl_do: info: no shared ciphers!
      		 
      native_password_auth_client: info: IO layer change done!
      		 
      ssl_verify_server_cert: info: Server hostname in cert: *.example-dot-com-equivalent-for.co.uk
      		 
      run_plugin_auth: info: authenticate_user returned CR_ERROR
      		 
      run_plugin_auth: info: res=0
      		 
      mysql_real_connect: error: message: 2026/HY000 (SSL connection error: SSL certificate validation failure)
      		 
      end_server: info: Net:
      		 
      main: info: Shutting down: infoflag: 3  print_info: 1

      Note specifically that the `Server name` value matches the `CN` value.

      The certificate is valid for the given hostname and is not expired, as verified by `openssl s_client -connect host.example-dot-com-equivalent-for.co.uk:443 -verify_return_error < /dev/null`. The "X509v3 Subject Alternative Name" field contains "DNS:*.example-dot-com-equivalent-for.co.uk, DNS:example-dot-com-equivalent-for.co.uk"

      The whole certificate chain is in the file pointed to by the server's `ssl-cert` configuration, as recommended elsewhere. "USERTrust RSA Certification Authority" is in the client's /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt. I tried adding `--ssl-ca=/etc/pki/tls/certs/ca-bundle.crt` to the command, but that didn't change anything.

      The question ends up being: *Do MySQL/MariaDB clients support wildcard certificates? If they do, is something wrong with my connection?*

      Original client:

      $ mysql --version
      		 
      mysql  Ver 15.1 Distrib 10.1.21-MariaDB, for Linux (x86_64) using readline 5.1

      Debug client:

      $ ./client/mysql --version
      		 
      ./client/mysql  Ver 15.1 Distrib 5.5.56-MariaDB, for Linux (x86_64) using readline 5.1

      Server:

      # rpm -q mariadb
      		 
      mariadb-5.5.52-1.el7.x86_64

      Attachments

        Issue Links

          is part of

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10594 SSL hostname verification fails for SubjectAltNames

          • Major - Major loss of function.
          • Closed

          Activity

            People

              serg Sergei Golubchik
              loopsysdev Loop system developers
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.