[MDEV-27405] Inconsistent error messages upon missing correct extendKeyUsage purpose in certificates - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.6
Fix Version/s: 10.6
Component/s: SSL
Labels:
None

Description

When configuring TLS on the server side using a x509 v3 certificate with the extendedKeyUsage present, but not including the serverAuth purpose, the server process starts up without any warning.

When trying to connect to such a server clients report

ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose

so it is at least somewhat clear why connections fail.

When the server is set up correctly, but the client wants to use two way TLS and does not have clientAuth in its own certificate set the situation is more tricky though. The client will report

ERROR 2013 (HY000): Lost connection to server at 'sending authentication information', system error: 104

and the server side error log only shows:

[Warning] Aborted connection ... to db: 'unconnected' user: 'unauthenticated' host: '...' (This connection closed normally without authentication)

So in this constellation it is extremely difficult to figure out what the actual cause of the connection failure is.

Tested with 10.6.5

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

certs_and_conf.tar.gz
11 kB
2022-02-15 11:58
client1.pcap
11 kB
2022-02-15 12:08
client2.pcap
7 kB
2022-02-15 12:08

Issue Links

is blocked by

CONC-603 Wrong error handling in TLS read/write

Open

Activity

Ascending order - Click to sort in descending order

View 6 older comments

Georg Richter added a comment - 2022-07-08 05:13

This seems to be happen only using TLSv1.3 where client certificate is checked after handshake.

Server:
SSL_accept() returns -1 and SSL_get_error returns SSL_ERROR_SSL. Instead of retrieving the OpenSSL error, this error is handled as a protocol error (errno=EPROTO):

(gdb) p ssl_error

$1 = 1

(gdb) p ERR_error_string(1, NULL)

$2 = 0x7ffff7cfb1a0 <buf> "error:00000001:lib(0):func(0):reason(1)"

(gdb) p ERR_error_string(ERR_peek_error(), NULL)

$3 = 0x7ffff7cfb1a0 <buf> "error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed"

On client side SSL_connect() returns success (=1)

Georg Richter added a comment - 2022-07-08 05:13 This seems to be happen only using TLSv1.3 where client certificate is checked after handshake. Server: SSL_accept() returns -1 and SSL_get_error returns SSL_ERROR_SSL. Instead of retrieving the OpenSSL error, this error is handled as a protocol error (errno=EPROTO): (gdb) p ssl_error $1 = 1 (gdb) p ERR_error_string(1, NULL) $2 = 0x7ffff7cfb1a0 <buf> "error:00000001:lib(0):func(0):reason(1)" (gdb) p ERR_error_string(ERR_peek_error(), NULL) $3 = 0x7ffff7cfb1a0 <buf> "error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed" On client side SSL_connect() returns success (=1)

Georg Richter added a comment - 2022-07-08 05:55

Partial fix pushed for Connector/C - server still needs to be fixed. (reassigning to wlad)

Georg Richter added a comment - 2022-07-08 05:55 Partial fix pushed for Connector/C - server still needs to be fixed. (reassigning to wlad)

Vladislav Vaintroub added a comment - 2022-07-08 10:19

Only client-side solution is OK I guess. If this is really fixed on the client, georg, please indicate the versions where it would be fixed, and feel free to close

Vladislav Vaintroub added a comment - 2022-07-08 10:19 Only client-side solution is OK I guess. If this is really fixed on the client, georg , please indicate the versions where it would be fixed, and feel free to close

Hartmut Holzgraefe added a comment - 2022-07-08 11:00

I tend to disagree, this is not the only connector in the world, and there even be client applications using Connector/C but don't forward library error messages properly.

So wearing my "I have to support all of this" hat I'd very much like to see the server report actual reasons for (This connection closed normally without authentication).

Hartmut Holzgraefe added a comment - 2022-07-08 11:00 I tend to disagree, this is not the only connector in the world, and there even be client applications using Connector/C but don't forward library error messages properly. So wearing my "I have to support all of this" hat I'd very much like to see the server report actual reasons for (This connection closed normally without authentication) .

Georg Richter added a comment - 2022-07-09 22:21

wlad I didn't close it, since it needs to be fixed in server. The information":tls_process_client_certificate:certificate verify failed" is available and should be written to logs.
Since TLSv1.3 alerts can be send after initial handshake - so read/write error is not a socket error ony, but also an TLS alert. If SSL_get_error() returns SSL_ERROR_SSL server should retrieve the errormsg and write it to log.

Georg Richter added a comment - 2022-07-09 22:21 wlad I didn't close it, since it needs to be fixed in server. The information":tls_process_client_certificate:certificate verify failed" is available and should be written to logs. Since TLSv1.3 alerts can be send after initial handshake - so read/write error is not a socket error ony, but also an TLS alert. If SSL_get_error() returns SSL_ERROR_SSL server should retrieve the errormsg and write it to log.

People

Assignee:: Georg Richter

Reporter:: Hartmut Holzgraefe

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022-01-02 19:08

Updated:: 2023-03-03 17:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration