[MDEV-29811] server advertises ssl even if it's unusable - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4, 10.10.2, 10.11.1
Component/s: Server, SSL
Labels:
None

Description

if the server is started with --ssl but without properly configured certificates, it will advertise the ssl support in the handshake, but will not actually be able to use it. so a client with --ssl will fail to connect with the ssl error (e.g. "sslv3 alert handshake failure" in OpenSSL).

I think the server should not start if it was requested to use ssl, but it cannot actually do it.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

config-file.cnf
1 kB
2023-01-19 17:27
docker-compose.yml
0.6 kB
2023-01-19 17:28

Issue Links

causes

MDEV-30270 ssl_cipher on Non-SSL system results in confusing SSL error

Open

MDEV-30818 invalid ssl prevents bootstrap

Closed

Activity

Ascending order - Click to sort in descending order

Oleksandr Byelkin added a comment - 2022-10-25 11:14

OK to push

Oleksandr Byelkin added a comment - 2022-10-25 11:14 OK to push

Ulf Hofemeier added a comment - 2023-01-19 17:33 - edited

What constitutes properly configured SSL certs? I have attached the config, docker-compose.yml and file system persmissions including a check on the certs that I created and so far I haven't been able to bring up the server with ssl support. Please help. Thanks docker-compose.yml

config-file.cnf

root@93aa8e176fec:/# ls -la /run |grep secrets
drwxr-xr-x 2 root root 4096 Jan 19 17:32 secrets
root@93aa8e176fec:/# ls -la /run/secrets/
total 28
drwxr-xr-x 2 root root 4096 Jan 19 17:32 .
drwxr-xr-x 1 root root 4096 Jan 19 17:32 ..
r------- 1 1000 1000 2122 Jan 19 02:05 ca-cert.pem
r------- 1 1000 1000 16 Jan 19 02:05 db_password.txt
r------- 1 1000 1000 2029 Jan 19 02:05 server-cert.pem
r------- 1 1000 1000 1704 Jan 19 02:05 server-key.pem
root@93aa8e176fec:/#

~/git/pri-fidoiot/component-samples/demo/db/secrets$ openssl verify -CAfile ca-cert.pem server-cert.pem api-user.pem
server-cert.pem: OK
api-user.pem: OK

The error message I'm getting when mariadbd is launched is:
db_1 | 2023-01-19 17:37:14 0 [ERROR] Failed to setup SSL
db_1 | 2023-01-19 17:37:14 0 [ERROR] SSL error: SSL_CTX_set_default_verify_paths failed
db_1 | 2023-01-19 17:37:14 0 [ERROR] Aborting

Ulf Hofemeier added a comment - 2023-01-19 17:33 - edited What constitutes properly configured SSL certs? I have attached the config, docker-compose.yml and file system persmissions including a check on the certs that I created and so far I haven't been able to bring up the server with ssl support. Please help. Thanks docker-compose.yml config-file.cnf root@93aa8e176fec:/# ls -la /run |grep secrets drwxr-xr-x 2 root root 4096 Jan 19 17:32 secrets root@93aa8e176fec:/# ls -la /run/secrets/ total 28 drwxr-xr-x 2 root root 4096 Jan 19 17:32 . drwxr-xr-x 1 root root 4096 Jan 19 17:32 .. r ------- 1 1000 1000 2122 Jan 19 02:05 ca-cert.pem r ------- 1 1000 1000 16 Jan 19 02:05 db_password.txt r ------- 1 1000 1000 2029 Jan 19 02:05 server-cert.pem r ------- 1 1000 1000 1704 Jan 19 02:05 server-key.pem root@93aa8e176fec:/# ~/git/pri-fidoiot/component-samples/demo/db/secrets$ openssl verify -CAfile ca-cert.pem server-cert.pem api-user.pem server-cert.pem: OK api-user.pem: OK The error message I'm getting when mariadbd is launched is: db_1 | 2023-01-19 17:37:14 0 [ERROR] Failed to setup SSL db_1 | 2023-01-19 17:37:14 0 [ERROR] SSL error: SSL_CTX_set_default_verify_paths failed db_1 | 2023-01-19 17:37:14 0 [ERROR] Aborting

Faustin Lammler added a comment - 2023-01-20 10:14 - edited

Hi uhofemeier!
This is probably not the best place to ask for help since only people subscribed to this issue will receive your questions (that's 5 person currently).
Also, jira.mariadb.org is normally used to report issue and it does not seem to be the case here (probably a mis-configuration).

So, in the future, I encourage you to ask for help via Zulip or via the Mailing list:

See also https://mariadb.org/contribute/#entry-header

My best guess from the error above is that there is a PATH problem with your certificates, if you log into the mariadb container (probably something like `docker exec -it db bash`, can you make sure that certs PATH are correct and that the user that runs mysql can access them (probably mysql)?

Faustin Lammler added a comment - 2023-01-20 10:14 - edited Hi uhofemeier ! This is probably not the best place to ask for help since only people subscribed to this issue will receive your questions (that's 5 person currently). Also, jira.mariadb.org is normally used to report issue and it does not seem to be the case here (probably a mis-configuration). So, in the future, I encourage you to ask for help via Zulip or via the Mailing list: https://mariadb.zulipchat.com/ https://launchpad.net/~maria-discuss See also https://mariadb.org/contribute/#entry-header My best guess from the error above is that there is a PATH problem with your certificates, if you log into the mariadb container (probably something like `docker exec -it db bash`, can you make sure that certs PATH are correct and that the user that runs mysql can access them (probably mysql)?

People

Assignee:: Vladislav Vaintroub

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2022-10-17 12:53

Updated:: 2025-03-13 11:40

Resolved:: 2022-10-25 11:40

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration