Source
I've been trying to move from using a self-signed certificate to using a wildcard certificate from a well-known CA to reduce maintenance overhead and improve security. The certificate has already been in use for months on test servers. The setup is working well enough that I can do the following (domain name anonymised):
mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl
|
This connects successfully after providing the password. However, when I try to actually verify the certificate Common Name it fails:
$ mysql --host=host.example-dot-com-equivalent-for.co.uk --user=query_user --password --ssl --ssl-verify-server-cert
|
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
|
After compiling MariaDB 5.5 using
cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSL=yes
|
and running the client with
I get the following trace log (trimmed):
mysql_real_connect: info: Connecting
|
mysql_real_connect: info: net->vio: 0x0 protocol: 0
|
mysql_real_connect: info: Server name: 'host.example-dot-com-equivalent-for.co.uk'. TCP sock: 3306
|
mysql_real_connect: info: IP 'client'
|
mysql_real_connect: info: IPV6 getaddrinfo host.example-dot-com-equivalent-for.co.uk
|
mysql_real_connect: info: Try connect on all addresses for host.
|
mysql_real_connect: info: Create socket, family: 2 type: 1 proto: 6
|
mysql_real_connect: info: Connect socket
|
mysql_real_connect: info: End of connect attempts, sock: 4 status: 0 error: 0
|
mysql_real_connect: info: net->vio: 0x263c540
|
mysql_real_connect: info: Read first packet.
|
mysql_real_connect: info: mysql protocol version 10, server=10
|
get_charsets_dir: info: charsets dir: '/usr/local/mysql/share/charsets/'
|
my_stat: error: Got errno: 2 from stat
|
run_plugin_auth: info: using plugin mysql_native_password
|
native_password_auth_client: info: no password
|
native_password_auth_client: info: IO layer change in progress...
|
ssl_do: info: ssl: 0x2823e50 timeout: 0
|
ssl_do: info: SSL connection succeeded
|
ssl_do: info: Using cipher: 'AES256-GCM-SHA384'
|
ssl_do: info: Peer certificate:
|
ssl_do: info: subject: '/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.example-dot-com-equivalent-for.co.uk'
|
ssl_do: info: issuer: '/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2'
|
ssl_do: info: no shared ciphers!
|
native_password_auth_client: info: IO layer change done!
|
ssl_verify_server_cert: info: Server hostname in cert: *.example-dot-com-equivalent-for.co.uk
|
run_plugin_auth: info: authenticate_user returned CR_ERROR
|
run_plugin_auth: info: res=0
|
mysql_real_connect: error: message: 2026/HY000 (SSL connection error: SSL certificate validation failure)
|
end_server: info: Net:
|
main: info: Shutting down: infoflag: 3 print_info: 1
|
Note specifically that the `Server name` value matches the `CN` value.
The certificate is valid for the given hostname and is not expired, as verified by `openssl s_client -connect host.example-dot-com-equivalent-for.co.uk:443 -verify_return_error < /dev/null`. The "X509v3 Subject Alternative Name" field contains "DNS:*.example-dot-com-equivalent-for.co.uk, DNS:example-dot-com-equivalent-for.co.uk"
The whole certificate chain is in the file pointed to by the server's `ssl-cert` configuration, as recommended elsewhere. "USERTrust RSA Certification Authority" is in the client's /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt. I tried adding `--ssl-ca=/etc/pki/tls/certs/ca-bundle.crt` to the command, but that didn't change anything.
The question ends up being: *Do MySQL/MariaDB clients support wildcard certificates? If they do, is something wrong with my connection?*
Original client:
$ mysql --version
|
mysql Ver 15.1 Distrib 10.1.21-MariaDB, for Linux (x86_64) using readline 5.1
|
Debug client:
$ ./client/mysql --version
|
./client/mysql Ver 15.1 Distrib 5.5.56-MariaDB, for Linux (x86_64) using readline 5.1
|
Server:
# rpm -q mariadb
|
mariadb-5.5.52-1.el7.x86_64
|
- is part of
-
MDEV-10594
SSL hostname verification fails for SubjectAltNames
-
-
Closed
{"report":{"fcp":1361.199999988079,"ttfb":283.89999997615814,"pageVisibility":"visible","entityId":61818,"key":"jira.project.issue.view-issue","isInitial":true,"threshold":1000,"elementTimings":{},"userDeviceMemory":8,"userDeviceProcessors":64,"apdex":0.5,"journeyId":"77f5181b-d9de-41b6-adc0-a5010edd9f3d","navigationType":0,"readyForUser":1508.6000000238419,"redirectCount":0,"resourceLoadedEnd":1857.5,"resourceLoadedStart":289.19999998807907,"resourceTiming":[{"duration":543.1000000238419,"initiatorType":"link","name":"https://jira.mariadb.org/s/2c21342762a6a02add1c328bed317ffd-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/css/_super/batch.css","startTime":289.19999998807907,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":289.19999998807907,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":832.3000000119209,"responseStart":0,"secureConnectionStart":0},{"duration":543.1000000238419,"initiatorType":"link","name":"https://jira.mariadb.org/s/7ebd35e77e471bc30ff0eba799ebc151-CDN/lu2cib/820016/12ta74/2bf333562ca6724060a9d5f1535471f6/_/download/contextbatch/css/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true","startTime":289.5,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":289.5,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":832.6000000238419,"responseStart":0,"secureConnectionStart":0},{"duration":560.5999999642372,"initiatorType":"script","name":"https://jira.mariadb.org/s/0917945aaa57108d00c5076fea35e069-CDN/lu2cib/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/js/_super/batch.js?locale=en","startTime":289.60000002384186,"connectEnd":289.60000002384186,"connectStart":289.60000002384186,"domainLookupEnd":289.60000002384186,"domainLookupStart":289.60000002384186,"fetchStart":289.60000002384186,"redirectEnd":0,"redirectStart":0,"requestStart":289.60000002384186,"responseEnd":850.1999999880791,"responseStart":850.1999999880791,"secureConnectionStart":289.60000002384186},{"duration":662.6000000238419,"initiatorType":"script","name":"https://jira.mariadb.org/s/2d8175ec2fa4c816e8023260bd8c1786-CDN/lu2cib/820016/12ta74/2bf333562ca6724060a9d5f1535471f6/_/download/contextbatch/js/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en&slack-enabled=true","startTime":289.89999997615814,"connectEnd":289.89999997615814,"connectStart":289.89999997615814,"domainLookupEnd":289.89999997615814,"domainLookupStart":289.89999997615814,"fetchStart":289.89999997615814,"redirectEnd":0,"redirectStart":0,"requestStart":289.89999997615814,"responseEnd":952.5,"responseStart":952.5,"secureConnectionStart":289.89999997615814},{"duration":665.6999999880791,"initiatorType":"script","name":"https://jira.mariadb.org/s/a9324d6758d385eb45c462685ad88f1d-CDN/lu2cib/820016/12ta74/c92c0caa9a024ae85b0ebdbed7fb4bd7/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en","startTime":290,"connectEnd":290,"connectStart":290,"domainLookupEnd":290,"domainLookupStart":290,"fetchStart":290,"redirectEnd":0,"redirectStart":0,"requestStart":290,"responseEnd":955.6999999880791,"responseStart":955.6999999880791,"secureConnectionStart":290},{"duration":666,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":290.19999998807907,"connectEnd":290.19999998807907,"connectStart":290.19999998807907,"domainLookupEnd":290.19999998807907,"domainLookupStart":290.19999998807907,"fetchStart":290.19999998807907,"redirectEnd":0,"redirectStart":0,"requestStart":290.19999998807907,"responseEnd":956.1999999880791,"responseStart":956.1000000238419,"secureConnectionStart":290.19999998807907},{"duration":666.1999999880791,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":290.30000001192093,"connectEnd":290.30000001192093,"connectStart":290.30000001192093,"domainLookupEnd":290.30000001192093,"domainLookupStart":290.30000001192093,"fetchStart":290.30000001192093,"redirectEnd":0,"redirectStart":0,"requestStart":290.30000001192093,"responseEnd":956.5,"responseStart":956.5,"secureConnectionStart":290.30000001192093},{"duration":717.3999999761581,"initiatorType":"link","name":"https://jira.mariadb.org/s/b04b06a02d1959df322d9cded3aeecc1-CDN/lu2cib/820016/12ta74/a2ff6aa845ffc9a1d22fe23d9ee791fc/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":290.60000002384186,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":290.60000002384186,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1008,"responseStart":0,"secureConnectionStart":0},{"duration":666.1999999880791,"initiatorType":"script","name":"https://jira.mariadb.org/rest/api/1.0/shortcuts/820016/47140b6e0a9bc2e4913da06536125810/shortcuts.js?context=issuenavigation&context=issueaction","startTime":290.80000001192093,"connectEnd":290.80000001192093,"connectStart":290.80000001192093,"domainLookupEnd":290.80000001192093,"domainLookupStart":290.80000001192093,"fetchStart":290.80000001192093,"redirectEnd":0,"redirectStart":0,"requestStart":290.80000001192093,"responseEnd":957,"responseStart":957,"secureConnectionStart":290.80000001192093},{"duration":717.3000000119209,"initiatorType":"link","name":"https://jira.mariadb.org/s/3ac36323ba5e4eb0af2aa7ac7211b4bb-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.css?jira.create.linked.issue=true","startTime":290.89999997615814,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":290.89999997615814,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":1008.1999999880791,"responseStart":0,"secureConnectionStart":0},{"duration":666.6000000238419,"initiatorType":"script","name":"https://jira.mariadb.org/s/5d5e8fe91fbc506585e83ea3b62ccc4b-CDN/lu2cib/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.js?jira.create.linked.issue=true&locale=en","startTime":291,"connectEnd":291,"connectStart":291,"domainLookupEnd":291,"domainLookupStart":291,"fetchStart":291,"redirectEnd":0,"redirectStart":0,"requestStart":291,"responseEnd":957.6000000238419,"responseStart":957.6000000238419,"secureConnectionStart":291},{"duration":993.6999999880791,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":296.30000001192093,"connectEnd":296.30000001192093,"connectStart":296.30000001192093,"domainLookupEnd":296.30000001192093,"domainLookupStart":296.30000001192093,"fetchStart":296.30000001192093,"redirectEnd":0,"redirectStart":0,"requestStart":296.30000001192093,"responseEnd":1290,"responseStart":1290,"secureConnectionStart":296.30000001192093},{"duration":1561.1000000238419,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2cib/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":296.39999997615814,"connectEnd":296.39999997615814,"connectStart":296.39999997615814,"domainLookupEnd":296.39999997615814,"domainLookupStart":296.39999997615814,"fetchStart":296.39999997615814,"redirectEnd":0,"redirectStart":0,"requestStart":296.39999997615814,"responseEnd":1857.5,"responseStart":1857.5,"secureConnectionStart":296.39999997615814},{"duration":265.2000000476837,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":1031.8999999761581,"connectEnd":1031.8999999761581,"connectStart":1031.8999999761581,"domainLookupEnd":1031.8999999761581,"domainLookupStart":1031.8999999761581,"fetchStart":1031.8999999761581,"redirectEnd":0,"redirectStart":0,"requestStart":1031.8999999761581,"responseEnd":1297.1000000238419,"responseStart":1297.1000000238419,"secureConnectionStart":1031.8999999761581}],"fetchStart":0,"domainLookupStart":0,"domainLookupEnd":0,"connectStart":0,"connectEnd":0,"requestStart":116,"responseStart":283,"responseEnd":288,"domLoading":287,"domInteractive":1878,"domContentLoadedEventStart":1878,"domContentLoadedEventEnd":1929,"domComplete":2702,"loadEventStart":2702,"loadEventEnd":2703,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[{"name":"bigPipe.sidebar-id.start","time":1859.699999988079},{"name":"bigPipe.sidebar-id.end","time":1860.6000000238419},{"name":"bigPipe.activity-panel-pipe-id.start","time":1860.699999988079},{"name":"bigPipe.activity-panel-pipe-id.end","time":1861.6000000238419},{"name":"activityTabFullyLoaded","time":1943.699999988079}],"measures":[],"correlationId":"6de92e31c3a4e","effectiveType":"4g","downlink":9.7,"rtt":0,"serverDuration":90,"dbReadsTimeInMs":9,"dbConnsTimeInMs":15,"applicationHash":"9d11dbea5f4be3d4cc21f03a88dd11d8c8687422","experiments":[]}}
This was implemented in
MDEV-10594, but only in 10.1.23, not in the 5.5 branch.