Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-13102

“SSL certificate validation failure” when verifying wildcard server certificate

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.52
    • Fix Version/s: 10.1.23
    • Component/s: SSL
    • Labels:
      None
    • Environment:
      CentOS 7, Linux 3.10.0-514.21.1.el7.x86_64

      Description

      Source

      I've been trying to move from using a self-signed certificate to using a wildcard certificate from a well-known CA to reduce maintenance overhead and improve security. The certificate has already been in use for months on test servers. The setup is working well enough that I can do the following (domain name anonymised):

      mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl
      

      This connects successfully after providing the password. However, when I try to actually verify the certificate Common Name it fails:

      $ mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl --ssl-verify-server-cert
      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
      

      After compiling MariaDB 5.5 using

      cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSL=yes

      and running the client with

      --debug

      I get the following trace log (trimmed):

      mysql_real_connect: info: Connecting
      mysql_real_connect: info: net->vio: 0x0  protocol: 0
      mysql_real_connect: info: Server name: 'host.example-dot-com-equivalent-for.co.uk'.  TCP sock: 3306
      mysql_real_connect: info: IP 'client'
      mysql_real_connect: info: IPV6 getaddrinfo host.example-dot-com-equivalent-for.co.uk
      mysql_real_connect: info: Try connect on all addresses for host.
      mysql_real_connect: info: Create socket, family: 2  type: 1  proto: 6
      mysql_real_connect: info: Connect socket
      mysql_real_connect: info: End of connect attempts, sock: 4  status: 0  error: 0
      mysql_real_connect: info: net->vio: 0x263c540
      mysql_real_connect: info: Read first packet.
      mysql_real_connect: info: mysql protocol version 10, server=10
      get_charsets_dir: info: charsets dir: '/usr/local/mysql/share/charsets/'
      my_stat: error: Got errno: 2 from stat
      run_plugin_auth: info: using plugin mysql_native_password
      native_password_auth_client: info: no password
      native_password_auth_client: info: IO layer change in progress...
      ssl_do: info: ssl: 0x2823e50 timeout: 0
      ssl_do: info: SSL connection succeeded
      ssl_do: info: Using cipher: 'AES256-GCM-SHA384'
      ssl_do: info: Peer certificate:
      ssl_do: info: 	 subject: '/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.example-dot-com-equivalent-for.co.uk'
      ssl_do: info: 	 issuer: '/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2'
      ssl_do: info: no shared ciphers!
      native_password_auth_client: info: IO layer change done!
      ssl_verify_server_cert: info: Server hostname in cert: *.example-dot-com-equivalent-for.co.uk
      run_plugin_auth: info: authenticate_user returned CR_ERROR
      run_plugin_auth: info: res=0
      mysql_real_connect: error: message: 2026/HY000 (SSL connection error: SSL certificate validation failure)
      end_server: info: Net:
      main: info: Shutting down: infoflag: 3  print_info: 1
      

      Note specifically that the `Server name` value matches the `CN` value.

      The certificate is valid for the given hostname and is not expired, as verified by `openssl s_client -connect host.example-dot-com-equivalent-for.co.uk:443 -verify_return_error < /dev/null`. The "X509v3 Subject Alternative Name" field contains "DNS:*.example-dot-com-equivalent-for.co.uk, DNS:example-dot-com-equivalent-for.co.uk"

      The whole certificate chain is in the file pointed to by the server's `ssl-cert` configuration, as recommended elsewhere. "USERTrust RSA Certification Authority" is in the client's /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt. I tried adding `--ssl-ca=/etc/pki/tls/certs/ca-bundle.crt` to the command, but that didn't change anything.

      The question ends up being: *Do MySQL/MariaDB clients support wildcard certificates? If they do, is something wrong with my connection?*

      Original client:

      $ mysql --version
      mysql  Ver 15.1 Distrib 10.1.21-MariaDB, for Linux (x86_64) using readline 5.1
      

      Debug client:

      $ ./client/mysql --version
      ./client/mysql  Ver 15.1 Distrib 5.5.56-MariaDB, for Linux (x86_64) using readline 5.1
      

      Server:

      # rpm -q mariadb
      mariadb-5.5.52-1.el7.x86_64
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                loopsysdev Loop system developers
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: