[MDEV-15039] Fix LibreSSL X509 (SSL) certificate hostname checking - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL)
Fix Version/s: 10.1.33, 10.2.15, 10.3.6
Component/s: SSL
Labels:
- contribution
- foundation

Description

(Currently) LibreSSL doesn't calculate the string length of the hostname
that's passed to X509_check_host automatically in case namelen/chklen is 0.
This causes server certificate validation to fail when building MariaDB with
LibreSSL.

The proposed fix makes MariaDB determine the string length passed to
X509_check_host. As there are no ill side-effects (OpenSSL's X509_check_host
also simply calls strlen if namelen == 0, see also X509_check_host(3)), this
wasn't wrapped in any #ifdef like constructs.

Please see here for a proposed patch to modify LibreSSL's behavior:
libressl-portable/openbsd#87

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Sergey Vojtovich

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2018-01-23 11:51

Updated:: 2018-05-29 07:49

Resolved:: 2018-04-04 06:46

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.