For UNIX socket connection we suggest this fix, https://github.com/mariadb-corporation/mariadb-connector-c/pull/251

Disabling TLS for unix sockets in general is not a good idea:

• Users which were created with REQUIRE SSL/X509 will not be able to connect anymore via unix_socket
• It will break most test environments (including our own) where client and server are running on the same machine

Some questions about your configuration/environment:

• Which operating system do you use (client and server) ?
• Which command line client/application (and version) do you use? The command line client of 11.4.3 (and Connector/C 3.4.1) should return another (more verbosed) error message

We have *.mysql.zonevs.eu certificate with custom Linux.

d83991.mysql.zonevs.eu resolves to 127.0.0.1 (this is in /etc/hosts file)

:~> openssl s_client -connect d83991.mysql.zonevs.eu:3306 -starttls mysql | head -10

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

verify return:1

depth=0 CN = *.mysql.zonevs.eu

verify return:1

CONNECTED(00000003)

---

Certificate chain

 0 s:CN = *.mysql.zonevs.eu

   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

---

Problem is:
This works:

:~> mariadb -h d83991.mysql.zonevs.eu

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 150261

Server version: 11.4.3-MariaDB-log Source distribution

This does not:

:~> mariadb -S /run/mysql/mysqld.socket

ERROR 2026 (HY000): TLS/SSL error: Hostname verification failed

:~> mariadb --version

mariadb from 11.4.3-MariaDB, client 15.2 for Linux (x86_64) using  EditLine wrapper

So there's another fix assumed. As I was told in CONC-712 currently connector would ignore TLS error for socket connection in case CA is not trusted.
However, in case CA for the certificates is trusted but certificate subject does not contain localhost it will trigger "Hostname verification" (as you provide in the output), which will be raised instead of being suppressed/ignored.

So I assume the expected fix here is to add extra exception to the list of ignored ones for the socket connection. But I can be wrong

the current idea is to not validate the hostname when we know that the connection is not MitM-able, such as over unix socket.

The main question here is why use TLS by default at all for connections that are not MitM-able? It's not only that it is useless, it adds overhead for which I can't see any justification. And then those endless if-s in the code to ignore errors to get it working?
I would argue, that most of the people do not want TLS overhead when using UNIX socket and need to start explicitly disabling it in the configuration. Why?

The only reason I can think of is to not break existing applications that use

CREATE USER ... REQUIRE { SSL | X509 | CIPHER 'cipher' | ISSUER 'issuer' | SUBJECT 'subject'

And because TLS is established before the user name is known, the server cannot force TLS only for those users that REQUIRE it.

On the other hand, the server can ignore REQUIRE SSL and REQUIRE X509 over a secure connection, just pretend it's satisfied. May be REQUIRE CIPHER too (this is questionable).

And REQUIRE ISSUER and REQUIRE SUBJECT check the client side certificate. So the client only needs to establish TLS if it has a certificate or a connection is potentially MitM-able.

I've done some more tests and it seems my assumption, that TLS over UNIX socket is a new thing in 11.4, was wrong. Even earlier MariaDB versions are using TLS over UNIX socket, when `ssl_key`, `ssl_cert` and `ssl_ca` configuration is used, with an exception that server certificate is not verified by default.

This indeed makes it possible that there are existing applications, which were successfully using `REQUIRE SSL` while connecting through UNIX socket and disabling TLS altogether (like my PR) would break them.

In that sense, I understand, that not checking TLS hostname for non-MitM-able connections is probably the easiest and safest fix.

I'm not sure about making UNIX socket satisfy `REQUIRE SSL`. For me it would be enough to have a way to disable TLS over UNIX socket by default (without extra command-line options) and keep living my simple life with local connections and no `REQUIRE SSL`-s. I still like the idea of having TLS over TCP/IP by default, so I don't want to disable that.

Since the current implementation of Connector/C 3.4 accepts self signed certificates for local connections which are considered secure (unix socket, 127.0.0.1, ::1) we should disable hostname verification for these connections too.

Other checks such as revocation or time period validity checks should still be performed for secure connections

Folks, I don't want to disappoint you, but it seems there's still issue left, now I can see it only in mariabackup only in 11.4.4. I've created a separate bug report for it: MDEV-35368