Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18131

MariaDB does not verify IP addresses from subject alternative names

    XMLWordPrintable

Details

    Description

      We have a certificate with the following subject names:

      Subject: CN=127.0.0.1
      X509v3 Subject Alternative Name:
      IP Address:127.0.0.1, DNS:localhost

      When we connect with mysql --host=127.0.0.1 --ssl-ca=ca.pem --ssl-verify-server-cert with MariaDB certificate validation fails:

      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

      However, this same command will succeed as is against a recent MySQL 5.7.23+ or Percona Server bin/mysql client. This command also succeeds if the DNS hostname i used ("mysql --host=localhost --protocol=tcp --ssl...")

      Offhand it appears that MariaDB only calls X509_check_host, but MySQL / Percona will additionally call X509_check_ip to validate an ip address. It seems that when there is at least one DNS entry in the subject alt name, the verification fails even if the common name would otherwise match.

      Attachments

        Issue Links

          Activity

            People

              wlad Vladislav Vaintroub
              andrew.garner Andrew Garner
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.