When configuring TLS on the server side using a x509 v3 certificate with the extendedKeyUsage present, but not including the serverAuth purpose, the server process starts up without any warning.
When trying to connect to such a server clients report
so it is at least somewhat clear why connections fail.
When the server is set up correctly, but the client wants to use two way TLS and does not have clientAuth in its own certificate set the situation is more tricky though. The client will report
ERROR 2013 (HY000): Lost connection to server at 'sending authentication information', system error: 104
and the server side error log only shows:
[Warning] Aborted connection ... to db: 'unconnected' user: 'unauthenticated' host: '...' (This connection closed normally without authentication)
So in this constellation it is extremely difficult to figure out what the actual cause of the connection failure is.
This seems to be happen only using TLSv1.3 where client certificate is checked after handshake.
Server:
SSL_accept() returns -1 and SSL_get_error returns SSL_ERROR_SSL. Instead of retrieving the OpenSSL error, this error is handled as a protocol error (errno=EPROTO):
Georg Richter
added a comment - This seems to be happen only using TLSv1.3 where client certificate is checked after handshake.
Server:
SSL_accept() returns -1 and SSL_get_error returns SSL_ERROR_SSL. Instead of retrieving the OpenSSL error, this error is handled as a protocol error (errno=EPROTO):
(gdb) p ssl_error
$1 = 1
(gdb) p ERR_error_string(1, NULL)
$2 = 0x7ffff7cfb1a0 <buf> "error:00000001:lib(0):func(0):reason(1)"
(gdb) p ERR_error_string(ERR_peek_error(), NULL)
$3 = 0x7ffff7cfb1a0 <buf> "error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed"
On client side SSL_connect() returns success (=1)
Only client-side solution is OK I guess. If this is really fixed on the client, georg, please indicate the versions where it would be fixed, and feel free to close
Vladislav Vaintroub
added a comment - Only client-side solution is OK I guess. If this is really fixed on the client, georg , please indicate the versions where it would be fixed, and feel free to close
I tend to disagree, this is not the only connector in the world, and there even be client applications using Connector/C but don't forward library error messages properly.
So wearing my "I have to support all of this" hat I'd very much like to see the server report actual reasons for (This connection closed normally without authentication).
Hartmut Holzgraefe
added a comment - I tend to disagree, this is not the only connector in the world, and there even be client applications using Connector/C but don't forward library error messages properly.
So wearing my "I have to support all of this" hat I'd very much like to see the server report actual reasons for (This connection closed normally without authentication) .
wlad I didn't close it, since it needs to be fixed in server. The information":tls_process_client_certificate:certificate verify failed" is available and should be written to logs.
Since TLSv1.3 alerts can be send after initial handshake - so read/write error is not a socket error ony, but also an TLS alert. If SSL_get_error() returns SSL_ERROR_SSL server should retrieve the errormsg and write it to log.
Georg Richter
added a comment - wlad I didn't close it, since it needs to be fixed in server. The information":tls_process_client_certificate:certificate verify failed" is available and should be written to logs.
Since TLSv1.3 alerts can be send after initial handshake - so read/write error is not a socket error ony, but also an TLS alert. If SSL_get_error() returns SSL_ERROR_SSL server should retrieve the errormsg and write it to log.
People
Georg Richter
Hartmut Holzgraefe
Votes:
2Vote for this issue
Watchers:
5Start watching this issue
Dates
Created:
Updated:
Git Integration
Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.
{"report":{"fcp":1348.300000011921,"ttfb":611.8999999761581,"pageVisibility":"visible","entityId":106312,"key":"jira.project.issue.view-issue","isInitial":true,"threshold":1000,"elementTimings":{},"userDeviceMemory":8,"userDeviceProcessors":64,"apdex":0.5,"journeyId":"a84f0fe9-accd-4220-8143-958e18d1053b","navigationType":0,"readyForUser":1428.3999999761581,"redirectCount":0,"resourceLoadedEnd":1064.8999999761581,"resourceLoadedStart":618.6999999880791,"resourceTiming":[{"duration":85,"initiatorType":"link","name":"https://jira.mariadb.org/s/2c21342762a6a02add1c328bed317ffd-CDN/lu2bu7/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/css/_super/batch.css","startTime":618.6999999880791,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":618.6999999880791,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":703.6999999880791,"responseStart":0,"secureConnectionStart":0},{"duration":85,"initiatorType":"link","name":"https://jira.mariadb.org/s/7ebd35e77e471bc30ff0eba799ebc151-CDN/lu2bu7/820016/12ta74/8679b4946efa1a0bb029a3a22206fb5d/_/download/contextbatch/css/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true","startTime":619,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":619,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":704,"responseStart":0,"secureConnectionStart":0},{"duration":271.80000001192093,"initiatorType":"script","name":"https://jira.mariadb.org/s/fbf975c0cce4b1abf04784eeae9ba1f4-CDN/lu2bu7/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/js/_super/batch.js?locale=en","startTime":619.1999999880791,"connectEnd":619.1999999880791,"connectStart":619.1999999880791,"domainLookupEnd":619.1999999880791,"domainLookupStart":619.1999999880791,"fetchStart":619.1999999880791,"redirectEnd":0,"redirectStart":0,"requestStart":709.6000000238419,"responseEnd":891,"responseStart":725.6000000238419,"secureConnectionStart":619.1999999880791},{"duration":445.5,"initiatorType":"script","name":"https://jira.mariadb.org/s/099b33461394b8015fc36c0a4b96e19f-CDN/lu2bu7/820016/12ta74/8679b4946efa1a0bb029a3a22206fb5d/_/download/contextbatch/js/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en&slack-enabled=true","startTime":619.3999999761581,"connectEnd":619.3999999761581,"connectStart":619.3999999761581,"domainLookupEnd":619.3999999761581,"domainLookupStart":619.3999999761581,"fetchStart":619.3999999761581,"redirectEnd":0,"redirectStart":0,"requestStart":709.8999999761581,"responseEnd":1064.8999999761581,"responseStart":727.1999999880791,"secureConnectionStart":619.3999999761581},{"duration":112,"initiatorType":"script","name":"https://jira.mariadb.org/s/94c15bff32baef80f4096a08aceae8bc-CDN/lu2bu7/820016/12ta74/c92c0caa9a024ae85b0ebdbed7fb4bd7/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en","startTime":619.6000000238419,"connectEnd":619.6000000238419,"connectStart":619.6000000238419,"domainLookupEnd":619.6000000238419,"domainLookupStart":619.6000000238419,"fetchStart":619.6000000238419,"redirectEnd":0,"redirectStart":0,"requestStart":710.8000000119209,"responseEnd":731.6000000238419,"responseStart":729.3999999761581,"secureConnectionStart":619.6000000238419},{"duration":112,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":619.8000000119209,"connectEnd":619.8000000119209,"connectStart":619.8000000119209,"domainLookupEnd":619.8000000119209,"domainLookupStart":619.8000000119209,"fetchStart":619.8000000119209,"redirectEnd":0,"redirectStart":0,"requestStart":711.1999999880791,"responseEnd":731.8000000119209,"responseStart":730,"secureConnectionStart":619.8000000119209},{"duration":114.80000001192093,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":620,"connectEnd":620,"connectStart":620,"domainLookupEnd":620,"domainLookupStart":620,"fetchStart":620,"redirectEnd":0,"redirectStart":0,"requestStart":711.8000000119209,"responseEnd":734.8000000119209,"responseStart":731.8999999761581,"secureConnectionStart":620},{"duration":87.39999997615814,"initiatorType":"link","name":"https://jira.mariadb.org/s/b04b06a02d1959df322d9cded3aeecc1-CDN/lu2bu7/820016/12ta74/a2ff6aa845ffc9a1d22fe23d9ee791fc/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":620.1000000238419,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":620.1000000238419,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":707.5,"responseStart":0,"secureConnectionStart":0},{"duration":114.60000002384186,"initiatorType":"script","name":"https://jira.mariadb.org/rest/api/1.0/shortcuts/820016/47140b6e0a9bc2e4913da06536125810/shortcuts.js?context=issuenavigation&context=issueaction","startTime":620.3999999761581,"connectEnd":620.3999999761581,"connectStart":620.3999999761581,"domainLookupEnd":620.3999999761581,"domainLookupStart":620.3999999761581,"fetchStart":620.3999999761581,"redirectEnd":0,"redirectStart":0,"requestStart":711.8999999761581,"responseEnd":735,"responseStart":732.6999999880791,"secureConnectionStart":620.3999999761581},{"duration":88.5,"initiatorType":"link","name":"https://jira.mariadb.org/s/3ac36323ba5e4eb0af2aa7ac7211b4bb-CDN/lu2bu7/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.css?jira.create.linked.issue=true","startTime":620.5,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":620.5,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":709,"responseStart":0,"secureConnectionStart":0},{"duration":114.69999998807907,"initiatorType":"script","name":"https://jira.mariadb.org/s/3339d87fa2538a859872f2df449bf8d0-CDN/lu2bu7/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.js?jira.create.linked.issue=true&locale=en","startTime":620.6000000238419,"connectEnd":620.6000000238419,"connectStart":620.6000000238419,"domainLookupEnd":620.6000000238419,"domainLookupStart":620.6000000238419,"fetchStart":620.6000000238419,"redirectEnd":0,"redirectStart":0,"requestStart":712.1000000238419,"responseEnd":735.3000000119209,"responseStart":733.5,"secureConnectionStart":620.6000000238419},{"duration":379.2999999523163,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":626.1000000238419,"connectEnd":626.1000000238419,"connectStart":626.1000000238419,"domainLookupEnd":626.1000000238419,"domainLookupStart":626.1000000238419,"fetchStart":626.1000000238419,"redirectEnd":0,"redirectStart":0,"requestStart":803.1999999880791,"responseEnd":1005.3999999761581,"responseStart":997.1000000238419,"secureConnectionStart":626.1000000238419},{"duration":380.80000001192093,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":626.1999999880791,"connectEnd":626.1999999880791,"connectStart":626.1999999880791,"domainLookupEnd":626.1999999880791,"domainLookupStart":626.1999999880791,"fetchStart":626.1999999880791,"redirectEnd":0,"redirectStart":0,"requestStart":873.6999999880791,"responseEnd":1007,"responseStart":1001.1000000238419,"secureConnectionStart":626.1999999880791},{"duration":115.80000001192093,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":1019.3999999761581,"connectEnd":1019.3999999761581,"connectStart":1019.3999999761581,"domainLookupEnd":1019.3999999761581,"domainLookupStart":1019.3999999761581,"fetchStart":1019.3999999761581,"redirectEnd":0,"redirectStart":0,"requestStart":1092.800000011921,"responseEnd":1135.199999988079,"responseStart":1133.800000011921,"secureConnectionStart":1019.3999999761581}],"fetchStart":0,"domainLookupStart":125,"domainLookupEnd":133,"connectStart":133,"connectEnd":154,"secureConnectionStart":142,"requestStart":154,"responseStart":612,"responseEnd":621,"domLoading":617,"domInteractive":1535,"domContentLoadedEventStart":1535,"domContentLoadedEventEnd":1585,"domComplete":2015,"loadEventStart":2015,"loadEventEnd":2016,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[{"name":"bigPipe.sidebar-id.start","time":1501.1000000238419},{"name":"bigPipe.sidebar-id.end","time":1501.8999999761581},{"name":"bigPipe.activity-panel-pipe-id.start","time":1502.1000000238419},{"name":"bigPipe.activity-panel-pipe-id.end","time":1504},{"name":"activityTabFullyLoaded","time":1607.199999988079}],"measures":[],"correlationId":"228d6b2c5d08a2","effectiveType":"4g","downlink":9.4,"rtt":0,"serverDuration":391,"dbReadsTimeInMs":12,"dbConnsTimeInMs":20,"applicationHash":"9d11dbea5f4be3d4cc21f03a88dd11d8c8687422","experiments":[]}}
Bug
Minor
This seems to be happen only using TLSv1.3 where client certificate is checked after handshake.
Server:
SSL_accept() returns -1 and SSL_get_error returns SSL_ERROR_SSL. Instead of retrieving the OpenSSL error, this error is handled as a protocol error (errno=EPROTO):
(gdb) p ssl_error$1 = 1(gdb) p ERR_error_string(1, NULL)$2 = 0x7ffff7cfb1a0 <buf> "error:00000001:lib(0):func(0):reason(1)"(gdb) p ERR_error_string(ERR_peek_error(), NULL)$3 = 0x7ffff7cfb1a0 <buf> "error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed"On client side SSL_connect() returns success (=1)