Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19268

TLS Setup Documentation

Details

    Description

      > You need to set the path to the server's X509 certificate by setting the ssl_cert system variable.

      Where does the server's X509 certificate come from? A guide like [1] suggests the admin can generate it himself. IMO this info should be included in the MariaDB docs.
      Could a script be provided that automates all steps?

      1. https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/

      2. https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-23772 Automate SSL connection tests for MariaDB

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 9 older comments
            serg Sergei Golubchik added a comment - - edited

            with "zero-config SSL" the user in most cases no longer needs to setup TLS manually

            serg Sergei Golubchik added a comment - - edited with "zero-config SSL" the user in most cases no longer needs to setup TLS manually
            XTF Olaf van der Spek added a comment -

            Client-side doesn't appear to be zero-conf though:

            > TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT)

            What's required on the client (library) side?
            Could a link to this be included in the error message?

            XTF Olaf van der Spek added a comment - Client-side doesn't appear to be zero-conf though: > TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT) What's required on the client (library) side? Could a link to this be included in the error message?
            serg Sergei Golubchik added a comment -

            What version of the server and the client library you're using?

            serg Sergei Golubchik added a comment - What version of the server and the client library you're using?
            XTF Olaf van der Spek added a comment -

            Server: 11.4.5-1 on Debian
            Client: libmariadb_3.4.1_x86-windows from vcpkg

            XTF Olaf van der Spek added a comment - Server: 11.4.5-1 on Debian Client: libmariadb_3.4.1_x86-windows from vcpkg
            serg Sergei Golubchik added a comment - - edited

            Could you try a later release of libmariadb? There were quite a few bugfixes related to TLS after 3.4.1.

            And — does your user account have a password? What authentication plugin does it use?

            serg Sergei Golubchik added a comment - - edited Could you try a later release of libmariadb? There were quite a few bugfixes related to TLS after 3.4.1. And — does your user account have a password? What authentication plugin does it use?

            People

              dbart Daniel Bartholomew
              XTF Olaf van der Spek
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.