Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25719

stunnel uses "verifyChain" without subject checks

    XMLWordPrintable

    Details

      Description

      Warnings showing the ineffectiveness of donor verifying a certificate using a CA file:

      2021-05-18 11:43:49 0 [Note] WSREP: Running: 'wsrep_sst_rsync --role 'donor' --address '127.0.0.2:16247/rsync_sst' --local-port '16240' --socket '/home/panda/mariadb-10.5/build/mysql-test/var/tmp/14/mysqld.1.sock' --datadir '/home/panda/mariadb-10.5/build/mysql-test/var/14/mysqld.1/data/' --defaults-file '/home/panda/mariadb-10.5/build/mysql-test/var/14/my.cnf' --defaults-group-suffix '.1' --gtid '595bb00c-b7bd-11eb-8b03-def0b070bd72:2' --gtid-domain-id '0' --binlog-index 'mysqld-bin.index' --mysqld-args --defaults-group-suffix=.1 --defaults-file=/home/panda/mariadb-10.5/build/mysql-test/var/14/my.cnf --log-output=file --innodb --innodb-cmpmem --innodb-cmp-per-index --innodb-trx --innodb-locks --innodb-lock-waits --innodb-metrics --innodb-buffer-pool-stats --innodb-buffer-page --innodb-buffer-page-lru --innodb-sys-columns --innodb-sys-fields --innodb-sys-foreign --innodb-sys-foreign-cols --innodb-sys-indexes --innodb-sys-tables --innodb-sys-virtual --core-file --loose-debug-sync-timeout=300'
      2021-05-18 11:43:49 0 [Note] WSREP: Donor monitor thread started to monitor
      2021-05-18 11:43:49 0 [Note] WSREP: IST sender 2 -> 2
      2021-05-18 11:43:49 1 [Note] WSREP: sst_donor_thread signaled with 0
      WSREP_SST: [INFO] Using stunnel for SSL encryption: CAfile: '/home/panda/mariadb-10.5/mysql-test/std_data/cacert.pem', SSLMODE: 'VERIFY_CA' (20210518 11:43:52.757)
      2021-05-18 11:43:52 0 [Note] WSREP: Flushing tables for SST...
      2021-05-18 11:43:52 0 [Note] WSREP: pause
      2021-05-18 11:43:53 0 [Note] WSREP: Provider paused at 595bb00c-b7bd-11eb-8b03-def0b070bd72:2 (5)
      2021-05-18 11:43:53 0 [Note] WSREP: Server paused at: 2
      2021-05-18 11:43:53 0 [Note] WSREP: Tables flushed.
      2021.05.18 11:44:03 LOG4[ui]: Insecure file permissions on /home/panda/mariadb-10.5/mysql-test/std_data/server-key.pem
      2021.05.18 11:44:03 LOG4[ui]: Service [stunnel] uses "verifyChain" without subject checks
      2021.05.18 11:44:03 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates
      2021.05.18 11:44:10 LOG3[0]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
      2021.05.18 11:44:11 LOG4[ui]: Insecure file permissions on /home/panda/mariadb-10.5/mysql-test/std_data/server-key.pem
      2021.05.18 11:44:11 LOG4[ui]: Service [stunnel] uses "verifyChain" without subject checks
      2021.05.18 11:44:11 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates
      2021.05.18 11:44:25 LOG3[0]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
      2021.05.18 11:44:31 LOG4[ui]: Insecure file permissions on /home/panda/mariadb-10.5/mysql-test/std_data/server-key.pem
      2021.05.18 11:44:31 LOG4[ui]: Service [stunnel] uses "verifyChain" without subject checks
      2021.05.18 11:44:31 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates
      2021.05.18 11:44:41 LOG3[0]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
      2021.05.18 11:44:43 LOG4[ui]: Insecure file permissions on /home/panda/mariadb-10.5/mysql-test/std_data/server-key.pem
      2021.05.18 11:44:43 LOG4[ui]: Insecure file permissions on /home/panda/mariadb-10.5/mysql-test/std_data/server-key.pem
      

        Attachments

          Activity

            People

            Assignee:
            sysprg Julius Goryavsky
            Reporter:
            sysprg Julius Goryavsky
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration