Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27405

Inconsistent error messages upon missing correct extendKeyUsage purpose in certificates

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 10.6
    • 10.6
    • SSL
    • None

    Description

      When configuring TLS on the server side using a x509 v3 certificate with the extendedKeyUsage present, but not including the serverAuth purpose, the server process starts up without any warning.

      When trying to connect to such a server clients report

      ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose
      

      so it is at least somewhat clear why connections fail.

      When the server is set up correctly, but the client wants to use two way TLS and does not have clientAuth in its own certificate set the situation is more tricky though. The client will report

      ERROR 2013 (HY000): Lost connection to server at 'sending authentication information', system error: 104
      

      and the server side error log only shows:

      [Warning] Aborted connection ... to db: 'unconnected' user: 'unauthenticated' host: '...' (This connection closed normally without authentication)
      

      So in this constellation it is extremely difficult to figure out what the actual cause of the connection failure is.

      Tested with 10.6.5

      Attachments

        1. certs_and_conf.tar.gz
          11 kB
        2. client1.pcap
          11 kB
        3. client2.pcap
          7 kB

        Issue Links

          Activity

            People

              georg Georg Richter
              hholzgra Hartmut Holzgraefe
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.