[MDEV-27989] No TLS error for clients when extended key usage does not match - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6.7
Fix Version/s: 10.6
Component/s: Scripts & Clients
Labels:
None
Environment:
Fedora 35, native 10.6.7 client with server 10.6.7 in docker

Description

Connecting with certificates that have the wrong extended key usage attributes (serverAuth instead of clientAuth) produces no error message on the client or the database.

[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"

+---+

| 1 |

+---+

| 1 |

+---+

[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"

ERROR 2013 (HY000): Lost connection to server at 'reading authorization packet', system error: 0

The only thing that the server logs is this:

2022-03-03  7:21:59 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: '127.0.0.1' (This connection closed normally without authentication)

However, if I use the wrong certificate on the server, I get the following error message regardless of the type:

[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"

ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose

[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"

ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose

The client-cert.pem certificate has:

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Cert Type:

                SSL Client, S/MIME

            Netscape Comment:

                OpenSSL Generated Client Certificate

            X509v3 Subject Key Identifier:

                5D:97:20:0B:30:A6:96:FD:89:C8:AB:92:57:9B:7B:B5:89:06:A8:D0

            X509v3 Authority Key Identifier:

                DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost

                serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88

            X509v3 Key Usage: critical

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Client Authentication, E-mail Protection

            X509v3 Subject Alternative Name:

                DNS:localhost

The server-cert.pem certificate has:

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Cert Type:

                SSL Server

            Netscape Comment:

                OpenSSL Generated Server Certificate

            X509v3 Subject Key Identifier:

                48:CB:85:39:83:05:43:34:8D:D4:78:0B:20:4B:2B:0E:B8:71:E0:4A

            X509v3 Authority Key Identifier:

                DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost

                serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88

            X509v3 Key Usage: critical

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication

            X509v3 Subject Alternative Name:

                DNS:localhost

The certificate MariaDB is configured with has:

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Cert Type:

                SSL Server

            Netscape Comment:

                OpenSSL Generated Server Certificate

            X509v3 Subject Key Identifier:

                FC:7F:37:42:8F:10:AC:E1:7D:15:8F:16:93:AF:7B:83:81:9B:60:C1

            X509v3 Authority Key Identifier:

                DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost

                serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88

            X509v3 Key Usage: critical

                Digital Signature, Key Encipherment

            X509v3 Extended Key Usage:

                TLS Web Server Authentication

            X509v3 Subject Alternative Name:

                DNS:localhost

Grants for the user:

MariaDB [test]> show grants;

+-------------------------------------------------------------------------------------------------------------------------------------------+

| Grants for maxuser@127.0.0.1                                                                                                              |

+-------------------------------------------------------------------------------------------------------------------------------------------+

| GRANT ALL PRIVILEGES ON *.* TO `maxuser`@`127.0.0.1` IDENTIFIED BY PASSWORD '*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0' WITH GRANT OPTION |

+-------------------------------------------------------------------------------------------------------------------------------------------+

1 row in set (0.000 sec)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

ca.pem
1 kB
2022-03-07 07:54
ca-key.pem
2 kB
2022-03-07 07:54
client-cert.pem
6 kB
2022-03-07 07:54
client-key.pem
3 kB
2022-03-07 07:54
mdb-cert.pem
6 kB
2022-03-07 07:54
mdb-key.pem
3 kB
2022-03-07 07:54
server-cert.pem
6 kB
2022-03-07 07:54
server-key.pem
3 kB
2022-03-07 07:54

Issue Links

relates to

CONC-587 TLS: alerts after handshake not handled correctly

Closed

Activity

People

Assignee:: Georg Richter

Reporter:: markus makela

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-03-03 07:20

Updated:: 2022-04-11 04:14

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.