Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19560

Client may not compare IP address to Subject Alternative Name fields for server certificate verification

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.1.40, 10.2.24, 10.3.15, 10.4.5
    • Fix Version/s: 10.1, 10.2, 10.3, 10.4
    • Component/s: SSL
    • Labels:
      None

      Description

      This is similar to CONC-413.

      Support for server certificate verification against subjectAltName (SAN) fields was added in the following Jira issues:

      However, I noticed that clients don't necessarily check the server's IP address against the subjectAltName (SAN) fields in the certificate. They only check mysql->host, which can be a host name or an IP address. If the user specifies the server's host as a host name, then I don't believe that the client will verify the certificate using the server's IP address.

      https://github.com/MariaDB/server/blob/mariadb-10.1.40/sql-common/client.c#L2647

      https://github.com/MariaDB/server/blob/mariadb-10.1.40/sql-common/client.c#L1840

      Could the IP address of the remote server be fetched in ssl_verify_server_cert() with the socket_remoteN functions by passing vio_fd(vio)?

      https://linux.die.net/man/3/socket_remote4

      https://linux.die.net/man/3/socket_remote6

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                wlad Vladislav Vaintroub
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: