[MDEV-18131] MariaDB does not verify IP addresses from subject alternative names - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.1.37
Fix Version/s: 10.2.24, 10.1.39, 10.3.15, 10.4.5
Component/s: SSL
Labels:
None

Description

We have a certificate with the following subject names:

Subject: CN=127.0.0.1
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, DNS:localhost

When we connect with mysql --host=127.0.0.1 --ssl-ca=ca.pem --ssl-verify-server-cert with MariaDB certificate validation fails:

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

However, this same command will succeed as is against a recent MySQL 5.7.23+ or Percona Server bin/mysql client. This command also succeeds if the DNS hostname i used ("mysql --host=localhost --protocol=tcp --ssl...")

Offhand it appears that MariaDB only calls X509_check_host, but MySQL / Percona will additionally call X509_check_ip to validate an ip address. It seems that when there is at least one DNS entry in the subject alt name, the verification fails even if the common name would otherwise match.

Attachments

Issue Links

relates to

CONC-413 C/C may not compare IP address to Subject Alternative Name fields for server certificate verification

Open

MDEV-10594 SSL hostname verification fails for SubjectAltNames

Closed

MDEV-18277 Client can't validate server certificate if SAN name used.

Closed

MDEV-19560 Client may not compare IP address to Subject Alternative Name fields for server certificate verification

Closed

CONC-250 SSL hostname verification for SubjectAltNames

Closed

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Andrew Garner

Votes:: 2 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2019-01-03 22:19

Updated:: 2019-05-22 21:59

Resolved:: 2019-04-28 14:04

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.