Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32210

Ephemeral certificate missing DN

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 11.3.0
    • N/A
    • SSL
    • None

    Description

      Since MDEV-31855 ephemeral certificates can be issued by server.
      Issue is DN is empty, and that isn't permitted according to rfc5280

      The issuer field identifies the entity that has signed and issued the
      certificate. The issuer field MUST contain a non-empty distinguished
      name (DN).

      Another problem is that java doesn't permit empty DN in certificates. Resulting certificat parsing throw error : 

      Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
      		 
      	at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:656)
      		 
      	at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
      		 
      	at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1819)

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-31856 use ephemeral ssl certificates

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. MDEV-31855 validate ssl certificates using client password

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            diego dupin Diego Dupin created issue -
            diego dupin Diego Dupin made changes -
            Field Original Value New Value
            diego dupin Diego Dupin made changes -
            Description Since MDEV-31855 ephemeral certificates can be issued by server.
            Issue is DN is empty, and that isn't permitted according to [rfc5280|https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4]
            {quote}The issuer field identifies the entity that has signed and issued the
               certificate. The issuer field MUST contain a non-empty distinguished
               name (DN).{quote}

            Another problem is that java doesn't permit empty DN in certificates. resulting certificat parsing result in :

            {code:java}
            Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
            at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:656)
            at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
            at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1819)
            {code}

            		Since MDEV-31855 ephemeral certificates can be issued by server.
            Issue is DN is empty, and that isn't permitted according to [rfc5280|https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4]
            {quote}The issuer field identifies the entity that has signed and issued the
               certificate. The issuer field MUST contain a non-empty distinguished
               name (DN).{quote}

            Another problem is that java doesn't permit empty DN in certificates. Resulting certificat parsing throw error :

            {code:java}
            Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
            at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:656)
            at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)
            at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1819)
            {code}

            serg Sergei Golubchik made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Component/s SSL [ 10112 ]
            Fix Version/s 11.3 [ 28565 ]
            serg Sergei Golubchik made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            serg Sergei Golubchik made changes -
            Status In Progress [ 3 ] Stalled [ 10000 ]
            serg Sergei Golubchik made changes -
            Status Stalled [ 10000 ] In Testing [ 10301 ]
            serg Sergei Golubchik added a comment -

            thanks! pushed into bb-11.3-serg

            serg Sergei Golubchik added a comment - thanks! pushed into bb-11.3-serg
            serg Sergei Golubchik made changes -
            Fix Version/s 11.4 [ 29301 ]
            Fix Version/s 11.3 [ 28565 ]
            serg Sergei Golubchik made changes -
            Fix Version/s N/A [ 14700 ]
            Fix Version/s 11.4 [ 29301 ]
            Resolution Fixed [ 1 ]
            Status In Testing [ 10301 ] Closed [ 6 ]

            People

              serg Sergei Golubchik
              diego dupin Diego Dupin
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.