Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33592

Self-signed certificates are x509 Version 1, which are rejected by some TLS libraries

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Fixed
    • 11.4.1, 11.4.0
    • 11.4.2
    • Server
    • None

    Description

      It appears that self-signed certificate generation does not set the x509 version and thus the certificate is defaulting to x509 version 1 (see "Notes").

      This is a problem because some TLS client libraries do not accept x509 version 1 due to how outdated it is. For example, RusTLS, a TLS client and server library for Rust, only accepts x509 version 3.

      This is causing our SQL client library, SQLx, to fail to connect to MariaDB on the verylatest tag, even with server certificate verification disabled, because it still needs to parse the certificate to complete the handshake.

      Fixing this should be as simple as adding X509_set_version(x509, X509_VERSION_3); to vio_gencert().

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-31856 use ephemeral ssl certificates

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          links to

          Web Link sqlx issue 3091

          Activity

            People

              serg Sergei Golubchik
              abonander Austin Bonander
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.