Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21888

Clients rely on the shell to resolve relative paths for --ssl-* options

    XMLWordPrintable

Details

    Description

      The client programs don't resolve relative paths for -ssl* options. This means that if a relative path is provided to one of the options when the = character is specified, then an error is thrown.

      For example, specifying --ssl-ca=~/test_chain.pem doesn't work:

      $ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw'
      ERROR 2026 (HY000): SSL connection error: No such file or directory
      

      But specifying --ssl-ca ~/test_chain.pem with no = character does work, because the shell resolves the path:

      $ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw'
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4047
      Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]>
      

      In contrast, if you specify the full path with the = character, then it also work as well:

      $ mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=/home/ec2-user/test_chain.pem --password='secretpw'
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4871
      Server version: 10.4.11-5-MariaDB-enterprise-log MariaDB Enterprise Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]>
      

      So this specifically seems to be related to providing a relative path with the = character.

      According to strace, when the = character is provided with the relative path, the client is calling open() on the relative path:

      $ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca=~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
      execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca=~/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
      open("~/test_chain.pem", O_RDONLY)      = -1 ENOENT (No such file or directory)
      

      And when the = character is not provided, the shell has resolved the path to the absolute path for the client:

      $ strace mariadb --host sky0001585.mdb0001419.test.skysql.net --port 5001 --user DB00003004 --ssl-ca ~/test_chain.pem --password='secretpw' 2>&1 | grep "test_chain.pem"
      execve("/usr/bin/mariadb", ["mariadb", "--host", "sky0001585.mdb0001419.test.skysq"..., "--port", "5001", "--user", "DB00003004", "--ssl-ca", "/home/ec2-user/test_chain.pem", "--password=secretpw"...], [/* 24 vars */]) = 0
      open("/home/ec2-user/test_chain.pem", O_RDONLY) = 4
      

      This is a documented limitation:

      --ssl-ca=name
      Defines a path to a PEM file that should contain one or more X509 certificates for trusted Certificate Authorities (CAs) to use for TLS. This option requires that you use the absolute path, not a relative path. See Secure Connections Overview: Certificate Authorities (CAs) for more information. This option implies the --ssl option.

      https://mariadb.com/kb/en/mysql-command-line-client/#options

      However, this behavior is not very user friendly.

      Is there any reason that clients shouldn't resolve relative paths automatically?

      Attachments

        Activity

          People

            sanja Oleksandr Byelkin
            GeoffMontee Geoff Montee (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.