Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
5.5(EOL), 10.0(EOL)
-
None
Description
The SSL hostname verification code currently fails to validate server certificates with a long Subject DN. This is due to a fixed sized buffer in the ssl_verify_server_cert function in sql-common/client.c. While this buffer length is adequate for most certificates, it is not long enough to handle the extra attributes in the Subject of EV certificates, for example...
/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware
|
/businessCategory=Private Organization/serialNumber=2158113
|
/C=US/postalCode=94043/ST=California/L=Mountain View
|
/street=350 Ellis Street/O=Symantec Corporation
|
/OU=Cloud Platform Engineering/CN=iaasdb.dvt2.symcpe.net
|
The above Subject is 276 characters long and the CN at the end gets truncated by the static buffer size, thus the function returns a verification failure error.
$ mysql --ssl-ca=ca.pem --ssl-verify-server-cert -h iaasdb.dvt2.symcpe.net -u dbuser -p
|
Enter password:
|
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
|
I have attached a patch that expands the buffer from 256 bytes to 1024 bytes, which will resolve the issue for all but the longest of certificate Subjects. The present method for finding the CommonName is a bad way to do things and should be overhauled, but fixing that issue is outside of the scope of this bug.
I am currently using the CentOS 7 packaged client which is version 5.5.41, but I have looked through the GitHub repository and the issue seems to exist in all current versions. The patch is based on the 5.5.42 source.