Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31855

validate ssl certificates using client password




      This needs a change in the client auth plugin API

      • client authentication plugins to get a new method hash_password(), the same as in the server plugin

      The new authentication will work like this

      Client side, when sending client reply packet:

      • If SSL is used, and --ssl-verify-server-cert is in force, but
      • no --ssl-ca or --ssl-fingerprint is in force, and
      • the certificate failed validation as self-signed, and
      • client authentication plugin doesn't have hash_password() method, and
      • the non-empty password was provided, then
      • disconnect, otherwise
      • continue (let's call it late certificate validation mode)

      Server side, when sending the OK packet after successful authentication:

      • if SSL is used, and
      • the certificate is ephemeral (after MDEV-31856), and
      • the account has non-empty password, then
      • calculate SHA2(user's hashed password, scramble, certificate fingerprint), and
      • put it in the OK's info field, prefixed by byte 0x01

      Client side, when receiving OK packet:

      • if in the late certificate validation mode, then
      • use hash_password() callback, calculate SHA2(user's hashed password, scramble, certificate fingerprint), compare


      • client plugin versions and the API version have to be incremented
      • the server doesn't know if the client is in the late password validation mode, so it might do some unnecessary work just in case
        • this could be fixed by a new capability bit, or
        • just live with potential unnecessary work on connect — it is assumed that in overwhelming majority of the cases this work will be necessary (almost all setups will use this mode)


        Issue Links



              serg Sergei Golubchik
              serg Sergei Golubchik
              0 Vote for this issue
              7 Start watching this issue



                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.