Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18131

MariaDB does not verify IP addresses from subject alternative names

    Details

      Description

      We have a certificate with the following subject names:

      Subject: CN=127.0.0.1
      X509v3 Subject Alternative Name:
      IP Address:127.0.0.1, DNS:localhost

      When we connect with mysql --host=127.0.0.1 --ssl-ca=ca.pem --ssl-verify-server-cert with MariaDB certificate validation fails:

      ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

      However, this same command will succeed as is against a recent MySQL 5.7.23+ or Percona Server bin/mysql client. This command also succeeds if the DNS hostname i used ("mysql --host=localhost --protocol=tcp --ssl...")

      Offhand it appears that MariaDB only calls X509_check_host, but MySQL / Percona will additionally call X509_check_ip to validate an ip address. It seems that when there is at least one DNS entry in the subject alt name, the verification fails even if the common name would otherwise match.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                wlad Vladislav Vaintroub
                Reporter:
                andrew.garner Andrew Garner
              • Votes:
                2 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: