Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.3.12
-
None
-
CentOS Linux release 7.6.1810 (Core)
Name : MariaDB-client
Version : 10.3.12
Release : 1.el7.centos
Architecture: x86_64
Install Date: Wed 09 Jan 2019 11:28:31 AM MST
Group : Applications/Databases
Size : 232971328
License : GPLv2
Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:24 PM MST, Key ID cbcb082a1bb943db
Source RPM : MariaDB-client-10.3.12-1.el7.centos.src.rpm
Build Date : Fri 04 Jan 2019 09:40:53 AM MST
Build Host : centos73-amd64
Relocations : (not relocatable)
Vendor : MariaDB Foundation
URL : http://mariadb.org
Summary : MariaDB: a very fast and robust SQL database server
Name : MariaDB-server
Version : 10.3.12
Release : 1.el7.centos
Architecture: x86_64
Install Date: Wed 09 Jan 2019 11:28:56 AM MST
Group : Applications/Databases
Size : 539357683
License : GPLv2
Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:29 PM MST, Key ID cbcb082a1bb943db
Source RPM : MariaDB-server-10.3.12-1.el7.centos.src.rpm
Build Date : Fri 04 Jan 2019 09:41:54 AM MST
Build Host : centos73-amd64
Relocations : (not relocatable)
Vendor : MariaDB Foundation
URL : http://mariadb.org
Summary : MariaDB: a very fast and robust SQL database server
CentOS Linux release 7.6.1810 (Core) Name : MariaDB-client Version : 10.3.12 Release : 1.el7.centos Architecture: x86_64 Install Date: Wed 09 Jan 2019 11:28:31 AM MST Group : Applications/Databases Size : 232971328 License : GPLv2 Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:24 PM MST, Key ID cbcb082a1bb943db Source RPM : MariaDB-client-10.3.12-1.el7.centos.src.rpm Build Date : Fri 04 Jan 2019 09:40:53 AM MST Build Host : centos73-amd64 Relocations : (not relocatable) Vendor : MariaDB Foundation URL : http://mariadb.org Summary : MariaDB: a very fast and robust SQL database server Name : MariaDB-server Version : 10.3.12 Release : 1.el7.centos Architecture: x86_64 Install Date: Wed 09 Jan 2019 11:28:56 AM MST Group : Applications/Databases Size : 539357683 License : GPLv2 Signature : DSA/SHA1, Sat 05 Jan 2019 12:50:29 PM MST, Key ID cbcb082a1bb943db Source RPM : MariaDB-server-10.3.12-1.el7.centos.src.rpm Build Date : Fri 04 Jan 2019 09:41:54 AM MST Build Host : centos73-amd64 Relocations : (not relocatable) Vendor : MariaDB Foundation URL : http://mariadb.org Summary : MariaDB: a very fast and robust SQL database server
Description
I have a MariaDB 10.3.12 server configured with SSL. The SAN certificate presented by the server looks like this:
Common Name: server
|
X509 Extensions:
|
X509 v3 Subject Alternate Names:
|
DNS.1: server-01
|
DNS.2: server-01.mydomain.com
|
IP.1: 10.0.0.5
|
When I connect to the server using the --host option that corresponds to the DNS entry of the Common Name, the connection succeeds.
|
shell |
mysql -u root --host server -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 20
|
Server version: 10.3.12-MariaDB-log MariaDB Server
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]>
|
However, if I attempt to connect using any of the DNS entries which correspond to the SAN name, the connection fails with an SSL error.
|
shell |
mysql -u root --host server-01 -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
|
Enter password:
|
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
|
|
|
mysql -u root --host server-01.mydomain.com -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
|
Enter password:
|
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
|
|
|
mysql -u root --host 10.0.0.5 -p --ssl-verify-server-cert=1 --ssl-ca=/etc/pki/tls/cert.pem
|
Enter password:
|
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
|
There is another issue, MDEV-13102, with extremely similar symptoms which was marked as fixed for 10.1.23. I think this could be a regression on that issue, as the behavior is very similiar.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
MDEV-18893 debuginfo packages missing from Cento{6|7}/RHEL{6|7}/sles12
-
- Closed
-
-
-
- Closed
-
Activity
I've confirmed that one user was able to solve this problem on CentOS/RHEL 7 by upgrading to one of the versions with the changes introduced to fix MDEV-18893.
I added the following note to the documentation:
On RHEL and CentOS 7, MariaDB's RPM packages were built with OpenSSL 1.0.1 for a long time, even after OpenSSL 1.0.2 became available on the platform. As a side effect, the clients and utilities bundled in these packages did not support server certificate verification with the subjectAltName field, even if the packages were installed on a system that had OpenSSL 1.0.2 installed. Starting with MariaDB 10.2.23, MariaDB 10.3.14, and MariaDB 10.4.4, MariaDB's RPM packages on RHEL and CentOS 7 are built with OpenSSL 1.0.2. Therefore, these are the minimum required versions to support server certificate verification with the subjectAltName field when using the clients and utilities bundled in MariaDB's RPM packages on RHEL and CentOS 7. See
MDEV-18277for more information.
https://mariadb.com/kb/en/library/secure-connections-overview/#server-certificate-verification
serg,
Should we go ahead and close this? Or is there something else that you think should be done for this?
I believe that MariaDB 10.1.39 should also be fixed, since it is also built with OpenSSL 1.0.2:
MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';
|
+---------------------+----------------------------------+
|
| Variable_name | Value |
|
+---------------------+----------------------------------+
|
| version_ssl_library | OpenSSL 1.0.2k-fips 26 Jan 2017 |
|
+---------------------+----------------------------------+
|
1 row in set (0.00 sec)
|
|
|
MariaDB [(none)]> SELECT VERSION();
|
+-----------------+
|
| VERSION() |
|
+-----------------+
|
| 10.1.39-MariaDB |
|
+-----------------+
|
1 row in set (0.00 sec)
|
And 10.1.39 also contains the relevant compile-time checks:
https://github.com/MariaDB/server/blob/mariadb-10.1.39/sql-common/client.c#L1840
https://github.com/MariaDB/server/blob/mariadb-10.1.39/sql-common/client.c#L1790
After the changes introduced to fix
MDEV-18893, MariaDB RPMs for RHEL/CentOS 7 will be built on systems that use OpenSSL 1.0.2. That should mean that versions starting with 10.2.23, 10.3.14, and 10.4.4 will be built with OpenSSL 1.0.2 on RHEL/CentOS 7. I've confirmed that MariaDB 10.2.23 and MariaDB 10.3.14 on RHEL/CentOS 7 both have the following output:MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';+---------------------+----------------------------------+| Variable_name | Value |+---------------------+----------------------------------+| version_ssl_library | OpenSSL 1.0.2k-fips 26 Jan 2017 |+---------------------+----------------------------------+1 row in set (0.001 sec)So if anyone is having this issue with server certificate verification with SANs, you might want to see if it works if you update your clients to one of these versions that are built with OpenSSL 1.0.2.