Details
-
New Feature
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
Description
The client programs don't resolve relative paths for -ssl* options. This means that if a relative path is provided to one of the options when the = character is specified, then an error is thrown.
For example, specifying --ssl-ca=~/test_chain.pem doesn't work:
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
|
ERROR 2026 (HY000): SSL connection error: No such file or directory
|
But specifying --ssl-ca ~/test_chain.pem with no = character does work, because the shell resolves the path:
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 4047
|
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]>
|
In contrast, if you specify the full path with the = character, then it also work as well:
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 4871
|
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]>
|
So this specifically seems to be related to providing a relative path with the = character.
According to strace, when the = character is provided with the relative path, the client is calling open() on the relative path:
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
|
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
|
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
|
And when the = character is not provided, the shell has resolved the path to the absolute path for the client:
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
|
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
|
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
|
This is a documented limitation:
--ssl-ca=name
Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for TLS. This option requires that you use the absolute path, not a relative path. See Secure Connections Overview: Certificate Authorities (CAs) for more information. This option implies the --ssl option.
https://mariadb.com/kb/en/mysql-command-line-client/#options
However, this behavior is not very user friendly.
Is there any reason that clients shouldn't resolve relative paths automatically?