We have a certificate with the following subject names:
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, DNS:localhost
When we connect with mysql --host=127.0.0.1 --ssl-ca=ca.pem --ssl-verify-server-cert with MariaDB certificate validation fails:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
However, this same command will succeed as is against a recent MySQL 5.7.23+ or Percona Server bin/mysql client. This command also succeeds if the DNS hostname i used ("mysql --host=localhost --protocol=tcp --ssl...")
Offhand it appears that MariaDB only calls X509_check_host, but MySQL / Percona will additionally call X509_check_ip to validate an ip address. It seems that when there is at least one DNS entry in the subject alt name, the verification fails even if the common name would otherwise match.