Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
11.4.1, 11.4.0
-
None
Description
It appears that self-signed certificate generation does not set the x509 version and thus the certificate is defaulting to x509 version 1 (see "Notes").
This is a problem because some TLS client libraries do not accept x509 version 1 due to how outdated it is. For example, RusTLS, a TLS client and server library for Rust, only accepts x509 version 3.
This is causing our SQL client library, SQLx, to fail to connect to MariaDB on the verylatest tag, even with server certificate verification disabled, because it still needs to parse the certificate to complete the handshake.
Fixing this should be as simple as adding X509_set_version(x509, X509_VERSION_3); to vio_gencert().
Attachments
Issue Links
- is caused by
-
MDEV-31856 use ephemeral ssl certificates
-
- Closed
-
- links to
Activity
| Field | Original Value | New Value |
|---|---|---|
| Link |
This issue is caused by |
| Description |
It appears that [self-signed certificate generation does not set the x509 version|https://github.com/MariaDB/server/blob/mariadb-11.4.1/vio/viosslfactories.c#L120] and thus the certificate is [defaulting to x509 version 1|https://www.openssl.org/docs/man3.2/man3/X509_set_version.html].
This is a problem because some TLS client libraries do not accept x509 version 1 due to how outdated it is. For example, RusTLS, a TLS client and server library for Rust, [only accepts x509 version 3|https://github.com/rustls/webpki/issues/29#issuecomment-1453783741]. This is causing our SQL client library, SQLx, to [fail to connect to MariaDB on the {{verylatest}} tag|https://github.com/launchbadge/sqlx/actions/runs/8149156874/job/22273413421#step:9:354], even with server certificate verification disabled, because it still needs to parse the certificate to complete the handshake. Fixing this should be as simple as adding {{X509_set_version(x509, X509_VERSION_3);}} to {{vio_gencert()}}. |
It appears that [self-signed certificate generation does not set the x509 version|https://github.com/MariaDB/server/blob/mariadb-11.4.1/vio/viosslfactories.c#L120] and thus the certificate is [defaulting to x509 version 1|https://www.openssl.org/docs/man3.2/man3/X509_set_version.html] (see "Notes").
This is a problem because some TLS client libraries do not accept x509 version 1 due to how outdated it is. For example, RusTLS, a TLS client and server library for Rust, [only accepts x509 version 3|https://github.com/rustls/webpki/issues/29#issuecomment-1453783741]. This is causing our SQL client library, SQLx, to [fail to connect to MariaDB on the {{verylatest}} tag|https://github.com/launchbadge/sqlx/actions/runs/8149156874/job/22273413421#step:9:354], even with server certificate verification disabled, because it still needs to parse the certificate to complete the handshake. Fixing this should be as simple as adding {{X509_set_version(x509, X509_VERSION_3);}} to {{vio_gencert()}}. |
| Fix Version/s | 11.4 [ 29301 ] |
| Status | Open [ 1 ] | Confirmed [ 10101 ] |
| Priority | Minor [ 4 ] | Critical [ 2 ] |
| Assignee | Daniel Black [ danblack ] |
| Assignee | Daniel Black [ danblack ] | Sergei Golubchik [ serg ] |
| Status | Confirmed [ 10101 ] | In Review [ 10002 ] |
| Remote Link | This issue links to "sqlx issue 3091 (Web Link)" [ 36640 ] |
| Assignee | Sergei Golubchik [ serg ] | Daniel Black [ danblack ] |
| Assignee | Daniel Black [ danblack ] | Sergei Golubchik [ serg ] |
It's worth noting that OpenSSL 1.1.1 has been EOL'd since September.
Yep, few distros dragging it beyond that date. It was simplistic and well within defined ABI to add the compatibility.
| Priority | Critical [ 2 ] | Blocker [ 1 ] |
| Fix Version/s | 11.4.2 [ 29633 ] | |
| Fix Version/s | 11.4 [ 29301 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | In Review [ 10002 ] | Closed [ 6 ] |
Thanks for the bug report, suggested fix, and testing pre-GA releases.
https://github.com/MariaDB/server/pull/3101
few things to work out - openssl 1.1.1 compat added