Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27405

Inconsistent error messages upon missing correct extendKeyUsage purpose in certificates



    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 10.6
    • 10.6
    • SSL
    • None


      When configuring TLS on the server side using a x509 v3 certificate with the extendedKeyUsage present, but not including the serverAuth purpose, the server process starts up without any warning.

      When trying to connect to such a server clients report

      ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose

      so it is at least somewhat clear why connections fail.

      When the server is set up correctly, but the client wants to use two way TLS and does not have clientAuth in its own certificate set the situation is more tricky though. The client will report

      ERROR 2013 (HY000): Lost connection to server at 'sending authentication information', system error: 104

      and the server side error log only shows:

      [Warning] Aborted connection ... to db: 'unconnected' user: 'unauthenticated' host: '...' (This connection closed normally without authentication)

      So in this constellation it is extremely difficult to figure out what the actual cause of the connection failure is.

      Tested with 10.6.5


        1. certs_and_conf.tar.gz
          11 kB
        2. client1.pcap
          11 kB
        3. client2.pcap
          7 kB

        Issue Links



              georg Georg Richter
              hholzgra Hartmut Holzgraefe
              2 Vote for this issue
              5 Start watching this issue



                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.