Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21888

Clients rely on the shell to resolve relative paths for --ssl-* options

    XMLWordPrintable

    Details

      Description

      The client programs don't resolve relative paths for -ssl* options. This means that if a relative path is provided to one of the options when the = character is specified, then an error is thrown.

      For example, specifying --ssl-ca=~/test_chain.pem doesn't work:

      $ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
      ERROR 2026 (HY000): SSL connection error: No such file or directory
      

      But specifying --ssl-ca ~/test_chain.pem with no = character does work, because the shell resolves the path:

      $ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4047
      Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]>
      

      In contrast, if you specify the full path with the = character, then it also work as well:

      $ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4871
      Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]>
      

      So this specifically seems to be related to providing a relative path with the = character.

      According to strace, when the = character is provided with the relative path, the client is calling open() on the relative path:

      $ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
      execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
      open("~/test_chain.pem", O_RDONLY)      = -1 ENOENT (No such file or directory)
      

      And when the = character is not provided, the shell has resolved the path to the absolute path for the client:

      $ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
      execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
      open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
      

      This is a documented limitation:

      --ssl-ca=name
      Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for TLS. This option requires that you use the absolute path, not a relative path. See Secure Connections Overview: Certificate Authorities (CAs) for more information. This option implies the --ssl option.

      https://mariadb.com/kb/en/mysql-command-line-client/#options

      However, this behavior is not very user friendly.

      Is there any reason that clients shouldn't resolve relative paths automatically?

        Attachments

          Activity

            People

            Assignee:
            sanja Oleksandr Byelkin
            Reporter:
            GeoffMontee Geoff Montee
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: