Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18277

Client can't validate server certificate if SAN name used.

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.3.12
    • Fix Version/s: 10.1.39, 10.2.23, 10.3.14, 10.4.4
    • Component/s: SSL
    • Labels:
      None
    • Environment:

      Description

      I have a MariaDB 10.3.12 server configured with SSL. The SAN certificate presented by the server looks like this:

      Common Name:  server
      X509 Extensions:
         X509 v3 Subject Alternate Names:
             DNS.1:  server-01
             DNS.2:  server-01.mydomain.com
             IP.1:  10.0.0.5
      

      When I connect to the server using the --host option that corresponds to the DNS entry of the Common Name, the connection succeeds.

      shell

      mysql -u root --host server -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 20
      Server version: 10.3.12-MariaDB-log MariaDB Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]>
      

      However, if I attempt to connect using any of the DNS entries which correspond to the SAN name, the connection fails with an SSL error.

      shell

      mysql -u root --host server-01 -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem 
      Enter password: 
      ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
       
      mysql -u root --host server-01.mydomain.com -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem 
      Enter password: 
      ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
       
      mysql -u root --host 10.0.0.5 -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem 
      Enter password: 
      ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
      

      There is another issue, MDEV-13102, with extremely similar symptoms which was marked as fixed for 10.1.23. I think this could be a regression on that issue, as the behavior is very similiar.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dbart Daniel Bartholomew
                Reporter:
                ja391045 John Anderson
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: