Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-5198

SSL connection inconsistency between Linux and Windows XP

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Incomplete
    • Affects Version/s: 5.5.33a
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:
      Linux 3.5.2 and Windows XP

      Description

      Summery, you can connect to the server from a linux box with the CA public key but not from an XP box using the same Certs.

      I generated these certs with TinyCA and exported the client and server certs with both the cert and key in one file. These files end with both.pem. The seperate cert and key files end with cert.pem, and key.pem respectivly.

      The Server set up:

      mysqld -V
      mysqld  Ver 5.5.33a-MariaDB-1~squeeze-log for debian-linux-gnu on i686 (mariadb.org binary distribution)

      my.cnf Excerpt:

      # For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
      #
      # ssl
      ssl-ca=/etc/mysql/ssl/CA-cert.pem
      ssl-cert=/etc/mysql/ssl/mysqld.something.else-both.pem

      If you verify the keys with openssl they are fine:

      openssl verify -CAfile CA-cert.pem client-cert.pem mysqld.something.else-both.pem
      client-cert.pem: OK
      mysqld.something.else-both.pem: OK

      In another bug report you ask for examples of it not working when it passes this test; Here ya go.

      On the linux client machine everything just works:

      mysql -V
      mysql  Ver 15.1 Distrib 5.5.33a-MariaDB, for debian-linux-gnu (i686) using readline 5.1
       
      mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem
       
      mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
       
      mysql -h eugeneweb.com --ssl-ca=CA-cert.pem
       
      mysql -h eugeneweb.com --ssl-cert=client-both.pem
       
      mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem

      All these connections were tested for SSL like so:

      MariaDB [(none)]> show status like 'Ssl_cipher';
      +---------------+--------------------+
      | Variable_name | Value              |
      +---------------+--------------------+
      | Ssl_cipher    | DHE-RSA-AES256-SHA |
      +---------------+--------------------+
      1 row in set (0.03 sec)

      Windows XP:

      Windows does not work as expected, unless you expect it not to work.

      mysql -V
      MYSQL  Ver 15.1 Distrib 5.5.33a-MariaDB, for Win32 (x86)
       
      mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem
      ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
       
      mysql -h eugeneweb.com --ssl-ca=CA-cert.pem
      ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
       
      mysql -h eugeneweb.com --ssl-cert=client-both.pem

      Works.

      mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem

      Works

      mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
      ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

      Thanks for any light you can shed on this.

      Clif

        Attachments

          Activity

            People

            Assignee:
            elenst Elena Stepanova
            Reporter:
            clif Clif Cox (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: