[MDEV-19560] Client may not compare IP address to Subject Alternative Name fields for server certificate verification - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Not a Bug
Affects Version/s: 10.2.24, 10.1.40, 10.3.15, 10.4.5
Fix Version/s: N/A
Component/s: SSL
Labels:
None

Description

This is similar to CONC-413.

Support for server certificate verification against subjectAltName (SAN) fields was added in the following Jira issues:

However, I noticed that clients don't necessarily check the server's IP address against the subjectAltName (SAN) fields in the certificate. They only check mysql->host, which can be a host name or an IP address. If the user specifies the server's host as a host name, then I don't believe that the client will verify the certificate using the server's IP address.

https://github.com/MariaDB/server/blob/mariadb-10.1.40/sql-common/client.c#L2647

https://github.com/MariaDB/server/blob/mariadb-10.1.40/sql-common/client.c#L1840

Could the IP address of the remote server be fetched in ssl_verify_server_cert() with the socket_remoteN functions by passing vio_fd(vio)?

https://linux.die.net/man/3/socket_remote4

https://linux.die.net/man/3/socket_remote6

Attachments

Issue Links

relates to

CONC-250 SSL hostname verification for SubjectAltNames

Closed

CONC-413 C/C may not compare IP address to Subject Alternative Name fields for server certificate verification

Open

MDEV-10594 SSL hostname verification fails for SubjectAltNames

Closed

MDEV-18131 MariaDB does not verify IP addresses from subject alternative names

Closed

Activity

People

Assignee:: Vladislav Vaintroub

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2019-05-22 21:59

Updated:: 2021-05-28 05:48

Resolved:: 2021-05-28 05:48

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.