Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23747

socket.ssl_ca argument being ignored.

    XMLWordPrintable

Details

    Description

      In galerautils/src/gu_asio.cpp, function gu::ssl_prepare_context, you have the following bit of code:

      param = conf::ssl_key;
      ctx.use_private_key_file(conf.get(param), asio::ssl::context::pem);
      param = conf::ssl_cert;
      ctx.use_certificate_file(conf.get(param), asio::ssl::context::pem);
      param = conf::ssl_ca;
      ctx.load_verify_file(conf.get(param, conf.get(conf::ssl_cert)));

      If you note, the load_verify_file call is not actually using the ssl_ca configuration setting, instead it is using the ssl_cert configuration setting again.

      This means that the only configuration that will work is one where your SSL certificate file contains the issuing CA (and any intermediate certificates due to the use of use_certificate_file instead of use_certificate_chain_file).

      The most common working configuration is likely one where you have a single self-signed certificate that you copy to all of your servers, which is what the basic guides suggest, but which is... A great distance from any best practices surrounding SSL certificates.

      If the use_certificate_file call could be updated to use_certificate_chain_file at the same time that would be very, very helpful.

      Attachments

        Issue Links

          Activity

            People

              sysprg Julius Goryavsky
              zelch Zephaniah Loss-Cutler-Hull
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.