[MDEV-21888] Resolve relative paths for --ssl-* options in the client - Jira

Geoff Montee (Inactive) created issue - 2020-03-06 22:50

Geoff Montee (Inactive) made changes - 2020-03-06 22:50

Field	Original Value	New Value
Link		This issue relates to DBAAS-2703 [ DBAAS-2703 ]

Geoff Montee (Inactive) made changes - 2020-03-06 23:10

Description

The client programs seem to get confused about the ~ character in paths provided to --ssl-* options when the equal sign is specified.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

The client programs seem to get confused about the ~ character in paths provided to --ssl-* options when the equal sign is specified.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to the combination of the {{~}} character in the path, and the usage of the {{=}} character.

Geoff Montee (Inactive) made changes - 2020-03-06 23:17

Description

The client programs seem to get confused about the ~ character in paths provided to --ssl-* options when the equal sign is specified.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to the combination of the {{~}} character in the path, and the usage of the {{=}} character.

The client programs seem to get confused about the ~ character in paths provided to --ssl-* options when the equal sign is specified.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to the combination of the {{~}} character in the path, and the usage of the {{=}} character. According to {{strace}}, in the former case, the client is calling {{open}} on the path that contains {{~}}:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
{code}

And in the latter case, the shell has resolved the path to the absolute path for the client:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
{code}

Geoff Montee (Inactive) made changes - 2020-03-06 23:18

Description

The client programs seem to get confused about the ~ character in paths provided to --ssl-* options when the equal sign is specified.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to the combination of the {{~}} character in the path, and the usage of the {{=}} character. According to {{strace}}, in the former case, the client is calling {{open}} on the path that contains {{~}}:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
{code}

And in the latter case, the shell has resolved the path to the absolute path for the client:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
{code}

The client programs seem to get confused about the ~ character in paths provided to --ssl-* options when the {{=}} character is specified.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to the combination of the ~ character in the path, and the usage of the {{=}} character. According to {{strace}}, in the former case, the client is calling {{open()}} on the path that contains {{~}}:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
{code}

And in the latter case, the shell has resolved the path to the absolute path for the client:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
{code}

Geoff Montee (Inactive) made changes - 2020-05-20 01:38

Summary

Clients can't handle ~ character in --ssl-* option paths when = is specified

Clients rely on the shell to resolve relative paths for --ssl-* options

Geoff Montee (Inactive) made changes - 2020-05-20 01:44

Description

The client programs seem to get confused about the ~ character in paths provided to --ssl-* options when the {{=}} character is specified.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to the combination of the ~ character in the path, and the usage of the {{=}} character. According to {{strace}}, in the former case, the client is calling {{open()}} on the path that contains {{~}}:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
{code}

And in the latter case, the shell has resolved the path to the absolute path for the client:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
{code}

The client programs don't resolve relative paths for --ssl-* options. This means that if a relative path is provided to one of the options when the {{=}} character is specified, then an error is thrown.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work, because the shell resolves the path:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to providing a relative path with the {{=}} character.

According to {{strace}}, when the {{=}} character is provided with the relative path, the client is calling {{open()}} on the relative path:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
{code}

And when the {{=}} character is *not* provided, the shell has resolved the path to the absolute path for the client:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
{code}

Is there any reason that clients shouldn't resolve relative paths automatically?

Geoff Montee (Inactive) made changes - 2020-05-20 01:47

Description

The client programs don't resolve relative paths for --ssl-* options. This means that if a relative path is provided to one of the options when the {{=}} character is specified, then an error is thrown.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work, because the shell resolves the path:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to providing a relative path with the {{=}} character.

According to {{strace}}, when the {{=}} character is provided with the relative path, the client is calling {{open()}} on the relative path:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
{code}

And when the {{=}} character is *not* provided, the shell has resolved the path to the absolute path for the client:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
{code}

Is there any reason that clients shouldn't resolve relative paths automatically?

The client programs don't resolve relative paths for --ssl-* options. This means that if a relative path is provided to one of the options when the {{=}} character is specified, then an error is thrown.

For example, specifying {{--ssl-ca=~/test_chain.pem}} doesn't work:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
ERROR 2026 (HY000): SSL connection error: No such file or directory
{code}

But specifying {{--ssl-ca ~/test_chain.pem}} with no {{=}} character does work, because the shell resolves the path:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4047
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

In contrast, if you specify the full path with the {{=}} character, then it also work as well:

{code:sh}
$ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4871
Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
{code}

So this specifically seems to be related to providing a relative path with the {{=}} character.

According to {{strace}}, when the {{=}} character is provided with the relative path, the client is calling {{open()}} on the relative path:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("~/test_chain.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
{code}

And when the {{=}} character is *not* provided, the shell has resolved the path to the absolute path for the client:

{code:sh}
$ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
{code}

This is a documented limitation:

{quote}
--ssl-ca=name
Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for TLS. *This option requires that you use the absolute path, not a relative path.* See Secure Connections Overview: Certificate Authorities (CAs) for more information. This option implies the --ssl option.
{quote}

https://mariadb.com/kb/en/mysql-command-line-client/#options

However, this behavior is not very user friendly.

Is there any reason that clients shouldn't resolve relative paths automatically?

Geoff Montee (Inactive) made changes - 2020-05-20 01:47

Assignee

Sergei Golubchik [ serg ]

Geoff Montee (Inactive) made changes - 2020-05-20 01:47

Component/s

SSL [ 10112 ]

Sergei Golubchik made changes - 2020-05-27 16:43

Assignee

Sergei Golubchik [ serg ]

Oleksandr Byelkin [ sanja ]

Sergei Golubchik made changes - 2020-05-27 16:43

Labels

beginner-friendly

Sergei Golubchik made changes - 2020-05-27 16:44

Priority

Major [ 3 ]

Minor [ 4 ]

Sergei Golubchik made changes - 2021-12-06 21:34

Workflow

MariaDB v3 [ 104659 ]

MariaDB v4 [ 141823 ]

Ralf Gebhardt made changes - 2022-08-04 08:45

Fix Version/s

10.2 [ 14601 ]

Julien Fritsch made changes - 2023-04-27 13:59

Fix Version/s

10.3 [ 22126 ]

Sergei Golubchik made changes - 2024-12-25 14:54

Affects Version/s	10.2.31 [ 24017 ]
Affects Version/s	10.3.22 [ 24018 ]
Affects Version/s	10.4.12 [ 24019 ]
Issue Type	Bug [ 1 ]	New Feature [ 2 ]

Sergei Golubchik made changes - 2024-12-25 14:54

Summary

Clients rely on the shell to resolve relative paths for --ssl-* options

Resolve relative paths for --ssl-* options in the client

Sergei Golubchik added a comment - 2024-12-25 14:55

obviously, not a bug. even the description says "this is a documented limitation"

Sergei Golubchik added a comment - 2024-12-25 14:55 obviously, not a bug. even the description says "this is a documented limitation"

MariaDB Server

Resolve relative paths for --ssl-* options in the client

Details

Description

Attachments

Activity

People

Dates

Git Integration