[MDEV-27405] Inconsistent error messages upon missing correct extendKeyUsage purpose in certificates - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.6
Fix Version/s: 10.6
Component/s: SSL
Labels:
None

Description

When configuring TLS on the server side using a x509 v3 certificate with the extendedKeyUsage present, but not including the serverAuth purpose, the server process starts up without any warning.

When trying to connect to such a server clients report

ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose

so it is at least somewhat clear why connections fail.

When the server is set up correctly, but the client wants to use two way TLS and does not have clientAuth in its own certificate set the situation is more tricky though. The client will report

ERROR 2013 (HY000): Lost connection to server at 'sending authentication information', system error: 104

and the server side error log only shows:

[Warning] Aborted connection ... to db: 'unconnected' user: 'unauthenticated' host: '...' (This connection closed normally without authentication)

So in this constellation it is extremely difficult to figure out what the actual cause of the connection failure is.

Tested with 10.6.5

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

certs_and_conf.tar.gz
11 kB
2022-02-15 11:58
client1.pcap
11 kB
2022-02-15 12:08
client2.pcap
7 kB
2022-02-15 12:08

Issue Links

is blocked by

CONC-603 Wrong error handling in TLS read/write

Open

Activity

People

Assignee:: Georg Richter

Reporter:: Hartmut Holzgraefe

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-01-02 19:08

Updated:: 2023-03-03 17:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.