[MDEV-33592] Self-signed certificates are x509 Version 1, which are rejected by some TLS libraries - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 11.4.1, 11.4.0
Fix Version/s: 11.4.2
Component/s: Server
Labels:
None

Description

It appears that self-signed certificate generation does not set the x509 version and thus the certificate is defaulting to x509 version 1 (see "Notes").

This is a problem because some TLS client libraries do not accept x509 version 1 due to how outdated it is. For example, RusTLS, a TLS client and server library for Rust, only accepts x509 version 3.

This is causing our SQL client library, SQLx, to fail to connect to MariaDB on the verylatest tag, even with server certificate verification disabled, because it still needs to parse the certificate to complete the handshake.

Fixing this should be as simple as adding X509_set_version(x509, X509_VERSION_3); to vio_gencert().

Attachments

Issue Links

is caused by

MDEV-31856 use ephemeral ssl certificates

Closed

links to

sqlx issue 3091

Activity

Transition	Time In Source Status	Execution Times

Daniel Black made transition - 2024-03-05 03:54

Open

Confirmed

38m 32s

Daniel Black made transition - 2024-03-05 03:54

Confirmed

In Review

21s

Daniel Black made transition - 2024-04-15 10:48

In Review

Closed

41d 6h 53m

People

Assignee:: Sergei Golubchik

Reporter:: Austin Bonander

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2024-03-05 03:16

Updated:: 2024-04-15 10:48

Resolved:: 2024-04-15 10:48

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server