Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28908

Wrong (or at least confusing) documentation and help output for --ssl-verify-server-cert

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3
    • None
    • Scripts & Clients, SSL
    • None

    Description

      mysql --help claims

             •   --ssl-verify-server-cert
      		 
       
      		 
                 Verify server's "Common Name" in its cert against hostname used when
      		 
                 connecting. This option is disabled by default.

      and https://mariadb.com/kb/en/secure-connections-overview/#server-certificate-verification provides similar information.

      It turns out though that this option also has an influence on whether certificate expiry date is checked.

      I tested with two server instances, both having two host entries, one for names "db1" / "db2" which is a name included in their respective certificates SAN list, and one for names "foo1" / "foo2" which is not listed as a subject alternative name (SAN).

      Also the certificate for server db2 has expired.

      The following all work:

      mysql -u ssl -p... --ssl -h db1 
      mysql -u ssl -p... --ssl -h db2 
      mysql -u ssl -p... --ssl -h foo1 
      mysql -u ssl -p... --ssl -h foo2

      so no certificate validation seems to have happened for either server host name or expiry date.

      When adding ssl-ca connections to db1/foo1 work:

      mysql -u ssl -p... --ssl --ssl-ca=... -h db1 
      mysql -u ssl -p... --ssl --ssl-ca=... -h foo1

      but connections to the db2/foo2 host 

      mysql -u ssl -p... --ssl --ssl-ca=... -h db2
      		 
      mysql -u ssl -p... --ssl --ssl-ca=... -h foo2

      now fail with
      ERROR 2026 (HY000): SSL connection error: certificate has expired

      Now trying without ssl-ca but with ssl-verify-server-cert all four fail with
      ERROR 2026 (HY000): SSL connection error: self-signed certificate in certificate chain:

      mysql -u ssl -pSecret23! --ssl --ssl-verify-server-cert -h db1
      		 
      mysql -u ssl -pSecret23! --ssl --ssl-verify-server-cert -h db2
      		 
      mysql -u ssl -pSecret23! --ssl --ssl-verify-server-cert -h foo1
      		 
      mysql -u ssl -pSecret23! --ssl --ssl-verify-server-cert -h foo2

      So ssl-ca is now mandatory, and with that combination both server name and expiry checks are happening. Only this now works:

      mysql -u ssl -pSecret23! --ssl --ssl-ca=... --ssl-verify-server-cert -h db1

      While this complains about wrong hostname:

      mysql -u ssl -pSecret23! --ssl --ssl-ca=... --ssl-verify-server-cert -h foo1

      and these two about expired server certificate:

      mysql -u ssl -pSecret23! --ssl --ssl-ca=... --ssl-verify-server-cert -h db2
      		 
      mysql -u ssl -pSecret23! --ssl --ssl-ca=... --ssl-verify-server-cert -h foo2

      So aside from just checking for valid server certificate host name ssl-verify-server-cert at least also enables CA chain validation, which is contradicting the documented behavior / purpose of the option.

      And explicitly giving ssl-ca does not only enable CA chain validation, but also server certificate expiry checks.

      Attachments

        Activity

          People

            Unassigned Unassigned
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.