Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.6.7
-
None
-
Fedora 35, native 10.6.7 client with server 10.6.7 in docker
Description
Connecting with certificates that have the wrong extended key usage attributes (serverAuth instead of clientAuth) produces no error message on the client or the database.
[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
|
+---+
|
| 1 |
|
+---+
|
| 1 |
|
+---+
|
[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
|
ERROR 2013 (HY000): Lost connection to server at 'reading authorization packet', system error: 0
|
The only thing that the server logs is this:
2022-03-03 7:21:59 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: '127.0.0.1' (This connection closed normally without authentication)
|
However, if I use the wrong certificate on the server, I get the following error message regardless of the type:
[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
|
ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose
|
[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
|
ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose
|
The client-cert.pem certificate has:
X509v3 extensions:
|
X509v3 Basic Constraints:
|
CA:FALSE
|
Netscape Cert Type:
|
SSL Client, S/MIME
|
Netscape Comment:
|
OpenSSL Generated Client Certificate
|
X509v3 Subject Key Identifier:
|
5D:97:20:0B:30:A6:96:FD:89:C8:AB:92:57:9B:7B:B5:89:06:A8:D0
|
X509v3 Authority Key Identifier:
|
DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost
|
serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88
|
|
|
X509v3 Key Usage: critical
|
Digital Signature, Non Repudiation, Key Encipherment
|
X509v3 Extended Key Usage:
|
TLS Web Client Authentication, E-mail Protection
|
X509v3 Subject Alternative Name:
|
DNS:localhost
|
The server-cert.pem certificate has:
X509v3 extensions:
|
X509v3 Basic Constraints:
|
CA:FALSE
|
Netscape Cert Type:
|
SSL Server
|
Netscape Comment:
|
OpenSSL Generated Server Certificate
|
X509v3 Subject Key Identifier:
|
48:CB:85:39:83:05:43:34:8D:D4:78:0B:20:4B:2B:0E:B8:71:E0:4A
|
X509v3 Authority Key Identifier:
|
DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost
|
serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88
|
|
|
X509v3 Key Usage: critical
|
Digital Signature, Key Encipherment
|
X509v3 Extended Key Usage:
|
TLS Web Server Authentication
|
X509v3 Subject Alternative Name:
|
DNS:localhost
|
The certificate MariaDB is configured with has:
X509v3 extensions:
|
X509v3 Basic Constraints:
|
CA:FALSE
|
Netscape Cert Type:
|
SSL Server
|
Netscape Comment:
|
OpenSSL Generated Server Certificate
|
X509v3 Subject Key Identifier:
|
FC:7F:37:42:8F:10:AC:E1:7D:15:8F:16:93:AF:7B:83:81:9B:60:C1
|
X509v3 Authority Key Identifier:
|
DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost
|
serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88
|
|
|
X509v3 Key Usage: critical
|
Digital Signature, Key Encipherment
|
X509v3 Extended Key Usage:
|
TLS Web Server Authentication
|
X509v3 Subject Alternative Name:
|
DNS:localhost
|
Grants for the user:
MariaDB [test]> show grants;
|
+-------------------------------------------------------------------------------------------------------------------------------------------+
|
| Grants for maxuser@127.0.0.1 |
|
+-------------------------------------------------------------------------------------------------------------------------------------------+
|
| GRANT ALL PRIVILEGES ON *.* TO `maxuser`@`127.0.0.1` IDENTIFIED BY PASSWORD '*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0' WITH GRANT OPTION |
|
+-------------------------------------------------------------------------------------------------------------------------------------------+
|
1 row in set (0.000 sec)
|
Attachments
Issue Links
- relates to
-
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Description |
Connecting with certificates that have the wrong extended key usage attributes (serverAuth instead of clientAuth) produces no error message on the client or the database.
{code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" +---+ | 1 | +---+ | 1 | +---+ [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2013 (HY000): Lost connection to server at 'reading authorization packet', system error: 0 {code} However, if I use the wrong certificate on the server, I get the following error message regardless of the type: {code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose {code} The {{client-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 5D:97:20:0B:30:A6:96:FD:89:C8:AB:92:57:9B:7B:B5:89:06:A8:D0 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: DNS:localhost {code} The {{server-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 48:CB:85:39:83:05:43:34:8D:D4:78:0B:20:4B:2B:0E:B8:71:E0:4A X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} The certificate MariaDB is configured with has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: FC:7F:37:42:8F:10:AC:E1:7D:15:8F:16:93:AF:7B:83:81:9B:60:C1 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} |
Connecting with certificates that have the wrong extended key usage attributes (serverAuth instead of clientAuth) produces no error message on the client or the database.
{code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" +---+ | 1 | +---+ | 1 | +---+ [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2013 (HY000): Lost connection to server at 'reading authorization packet', system error: 0 {code} The only thing that the server logs is this: {code} 2022-03-03 7:21:59 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: '127.0.0.1' (This connection closed normally without authentication) {code} However, if I use the wrong certificate on the server, I get the following error message regardless of the type: {code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose {code} The {{client-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 5D:97:20:0B:30:A6:96:FD:89:C8:AB:92:57:9B:7B:B5:89:06:A8:D0 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: DNS:localhost {code} The {{server-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 48:CB:85:39:83:05:43:34:8D:D4:78:0B:20:4B:2B:0E:B8:71:E0:4A X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} The certificate MariaDB is configured with has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: FC:7F:37:42:8F:10:AC:E1:7D:15:8F:16:93:AF:7B:83:81:9B:60:C1 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} |
| Description |
Connecting with certificates that have the wrong extended key usage attributes (serverAuth instead of clientAuth) produces no error message on the client or the database.
{code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" +---+ | 1 | +---+ | 1 | +---+ [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2013 (HY000): Lost connection to server at 'reading authorization packet', system error: 0 {code} The only thing that the server logs is this: {code} 2022-03-03 7:21:59 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: '127.0.0.1' (This connection closed normally without authentication) {code} However, if I use the wrong certificate on the server, I get the following error message regardless of the type: {code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose {code} The {{client-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 5D:97:20:0B:30:A6:96:FD:89:C8:AB:92:57:9B:7B:B5:89:06:A8:D0 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: DNS:localhost {code} The {{server-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 48:CB:85:39:83:05:43:34:8D:D4:78:0B:20:4B:2B:0E:B8:71:E0:4A X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} The certificate MariaDB is configured with has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: FC:7F:37:42:8F:10:AC:E1:7D:15:8F:16:93:AF:7B:83:81:9B:60:C1 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} |
Connecting with certificates that have the wrong extended key usage attributes (serverAuth instead of clientAuth) produces no error message on the client or the database.
{code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" +---+ | 1 | +---+ | 1 | +---+ [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2013 (HY000): Lost connection to server at 'reading authorization packet', system error: 0 {code} The only thing that the server logs is this: {code} 2022-03-03 7:21:59 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: '127.0.0.1' (This connection closed normally without authentication) {code} However, if I use the wrong certificate on the server, I get the following error message regardless of the type: {code} [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose [markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1" ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose {code} The {{client-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 5D:97:20:0B:30:A6:96:FD:89:C8:AB:92:57:9B:7B:B5:89:06:A8:D0 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection X509v3 Subject Alternative Name: DNS:localhost {code} The {{server-cert.pem}} certificate has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 48:CB:85:39:83:05:43:34:8D:D4:78:0B:20:4B:2B:0E:B8:71:E0:4A X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} The certificate MariaDB is configured with has: {code} X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: FC:7F:37:42:8F:10:AC:E1:7D:15:8F:16:93:AF:7B:83:81:9B:60:C1 X509v3 Authority Key Identifier: DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost {code} Grants for the user: {code} MariaDB [test]> show grants; +-------------------------------------------------------------------------------------------------------------------------------------------+ | Grants for maxuser@127.0.0.1 | +-------------------------------------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO `maxuser`@`127.0.0.1` IDENTIFIED BY PASSWORD '*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0' WITH GRANT OPTION | +-------------------------------------------------------------------------------------------------------------------------------------------+ 1 row in set (0.000 sec) {code} |
| Attachment | ca.pem [ 62481 ] | |
| Attachment | ca-key.pem [ 62482 ] | |
| Attachment | client-cert.pem [ 62483 ] | |
| Attachment | client-key.pem [ 62484 ] | |
| Attachment | mdb-cert.pem [ 62485 ] | |
| Attachment | mdb-key.pem [ 62486 ] | |
| Attachment | server-cert.pem [ 62487 ] | |
| Attachment | server-key.pem [ 62488 ] |
| Assignee | Georg Richter [ georg ] |
Some observations:
- The error is only reproducable with OpenSSL (server) and TLS version 1.3
- TLS version 1.1 and 1.2: error "SSL connection error: fatal alert received: CA is unknown" (GnuTLS) or "SSL connection error: self signed certificate in certificate chain" (OpenSSL) will be returned
- Client with OpenSSL returns system error 0, with GnuTLS system error 11 (resource temporary unavailable)
- WolfSSL (server) doesn't show any error and allows to connect
| Fix Version/s | 10.6 [ 24028 ] |
Attached certs and keys of the CA, client, server and MariaDB.