Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23747

socket.ssl_ca argument being ignored.

Details

    Description

      In galerautils/src/gu_asio.cpp, function gu::ssl_prepare_context, you have the following bit of code:

      param = conf::ssl_key;
      ctx.use_private_key_file(conf.get(param), asio::ssl::context::pem);
      param = conf::ssl_cert;
      ctx.use_certificate_file(conf.get(param), asio::ssl::context::pem);
      param = conf::ssl_ca;
      ctx.load_verify_file(conf.get(param, conf.get(conf::ssl_cert)));

      If you note, the load_verify_file call is not actually using the ssl_ca configuration setting, instead it is using the ssl_cert configuration setting again.

      This means that the only configuration that will work is one where your SSL certificate file contains the issuing CA (and any intermediate certificates due to the use of use_certificate_file instead of use_certificate_chain_file).

      The most common working configuration is likely one where you have a single self-signed certificate that you copy to all of your servers, which is what the basic guides suggest, but which is... A great distance from any best practices surrounding SSL certificates.

      If the use_certificate_file call could be updated to use_certificate_chain_file at the same time that would be very, very helpful.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24097 galera_3nodes suite tests in MTR sporadically fails: Failed to start mysqld or mysql_shutdown failed

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-27181 Galera SST scripts should use ssl_capath (not ssl_ca) for CA directory

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            zelch Zephaniah Loss-Cutler-Hull created issue -
            zelch Zephaniah Loss-Cutler-Hull added a comment -

            So, with apologies, I completely misread the code around conf.get with two arguments, and had an unrelated issue keeping things from working.

            The use_certificate_file vs use_certificate_chain file issue is still a problem, but a much lesser problem.

            zelch Zephaniah Loss-Cutler-Hull added a comment - So, with apologies, I completely misread the code around conf.get with two arguments, and had an unrelated issue keeping things from working. The use_certificate_file vs use_certificate_chain file issue is still a problem, but a much lesser problem.
            elenst Elena Stepanova made changes -
            Field Original Value New Value
            Component/s SSL [ 10112 ]
            Fix Version/s 10.4 [ 22408 ]
            Assignee Jan Lindström [ jplindst ]
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 113633 ] MariaDB v4 [ 142256 ]
            jplindst Jan Lindström (Inactive) made changes -
            Assignee Jan Lindström [ jplindst ] Julius Goryavsky [ sysprg ]
            sysprg Julius Goryavsky made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            sysprg Julius Goryavsky made changes -
            sysprg Julius Goryavsky made changes -
            sysprg Julius Goryavsky added a comment -

            There were also problems with the handling of the ssl-ca and ssl-capath parameters, which were finally resolved after merging MDEV-24097 and MDEV-27181

            sysprg Julius Goryavsky added a comment - There were also problems with the handling of the ssl-ca and ssl-capath parameters, which were finally resolved after merging MDEV-24097 and MDEV-27181
            sysprg Julius Goryavsky made changes -
            issue.field.resolutiondate 2022-02-19 01:17:22.0 2022-02-19 01:17:22.265
            sysprg Julius Goryavsky made changes -
            Fix Version/s 10.8.1 [ 26815 ]
            Fix Version/s 10.7.2 [ 26813 ]
            Fix Version/s 10.6.6 [ 26811 ]
            Fix Version/s 10.5.14 [ 26809 ]
            Fix Version/s 10.4.23 [ 26807 ]
            Fix Version/s 10.3.33 [ 26805 ]
            Fix Version/s 10.2.42 [ 26803 ]
            Fix Version/s 10.4 [ 22408 ]
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Closed [ 6 ]

            People

              sysprg Julius Goryavsky
              zelch Zephaniah Loss-Cutler-Hull
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.