[MDEV-18277] Client can't validate server certificate if SAN name used. - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3.12
Fix Version/s: 10.2.23, 10.1.39, 10.3.14, 10.4.4
Component/s: SSL
Labels:
None
Environment:

Hide
CentOS Linux release 7.6.1810 (Core)

Name : MariaDB-client
Version : 10.3.12
Release : 1.el7.centos
Architecture: x86_64
Install Date: Wed 09 Jan 2019 11:28:31 AM MST
Group : Applications/Databases
Size : 232971328
License : GPLv2
Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:24 PM MST, Key ID cbcb082a1bb943db
Source RPM : MariaDB-client-10.3.12-1.el7.centos.src.rpm
Build Date : Fri 04 Jan 2019 09:40:53 AM MST
Build Host : centos73-amd64
Relocations : (not relocatable)
Vendor : MariaDB Foundation
URL : http://mariadb.org
Summary : MariaDB: a very fast and robust SQL database server

Name : MariaDB-server
Version : 10.3.12
Release : 1.el7.centos
Architecture: x86_64
Install Date: Wed 09 Jan 2019 11:28:56 AM MST
Group : Applications/Databases
Size : 539357683
License : GPLv2
Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:29 PM MST, Key ID cbcb082a1bb943db
Source RPM : MariaDB-server-10.3.12-1.el7.centos.src.rpm
Build Date : Fri 04 Jan 2019 09:41:54 AM MST
Build Host : centos73-amd64
Relocations : (not relocatable)
Vendor : MariaDB Foundation
URL : http://mariadb.org
Summary : MariaDB: a very fast and robust SQL database server

Show
CentOS Linux release 7.6.1810 (Core) Name : MariaDB-client Version : 10.3.12 Release : 1.el7.centos Architecture: x86_64 Install Date: Wed 09 Jan 2019 11:28:31 AM MST Group : Applications/Databases Size : 232971328 License : GPLv2 Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:24 PM MST, Key ID cbcb082a1bb943db Source RPM : MariaDB-client-10.3.12-1.el7.centos.src.rpm Build Date : Fri 04 Jan 2019 09:40:53 AM MST Build Host : centos73-amd64 Relocations : (not relocatable) Vendor : MariaDB Foundation URL : http://mariadb.org Summary : MariaDB: a very fast and robust SQL database server Name : MariaDB-server Version : 10.3.12 Release : 1.el7.centos Architecture: x86_64 Install Date: Wed 09 Jan 2019 11:28:56 AM MST Group : Applications/Databases Size : 539357683 License : GPLv2 Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:29 PM MST, Key ID cbcb082a1bb943db Source RPM : MariaDB-server-10.3.12-1.el7.centos.src.rpm Build Date : Fri 04 Jan 2019 09:41:54 AM MST Build Host : centos73-amd64 Relocations : (not relocatable) Vendor : MariaDB Foundation URL : http://mariadb.org Summary : MariaDB: a very fast and robust SQL database server

Description

I have a MariaDB 10.3.12 server configured with SSL. The SAN certificate presented by the server looks like this:

Common Name:  server

X509 Extensions:

   X509 v3 Subject Alternate Names:

       DNS.1:  server-01

       DNS.2:  server-01.mydomain.com

       IP.1:  10.0.0.5

When I connect to the server using the --host option that corresponds to the DNS entry of the Common Name, the connection succeeds.

shell
mysql -u root --host server -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 20
Server version: 10.3.12-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

However, if I attempt to connect using any of the DNS entries which correspond to the SAN name, the connection fails with an SSL error.

shell
mysql -u root --host server-01 -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

mysql -u root --host server-01.mydomain.com -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

mysql -u root --host 10.0.0.5 -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

There is another issue, ~~MDEV-13102~~, with extremely similar symptoms which was marked as fixed for 10.1.23. I think this could be a regression on that issue, as the behavior is very similiar.

Attachments

Issue Links

relates to

MDEV-10594 SSL hostname verification fails for SubjectAltNames

Closed

MDEV-15848 version_ssl_library seems to be incorrect in some cases

Closed

MDEV-18893 debuginfo packages missing from Cento{6|7}/RHEL{6|7}/sles12

Closed

MDEV-18131 MariaDB does not verify IP addresses from subject alternative names

Closed

Activity

People

Assignee:: Daniel Bartholomew

Reporter:: John Anderson

Votes:: 1 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2019-01-16 23:58

Updated:: 2024-07-07 23:21

Resolved:: 2019-04-15 10:53

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server