Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
2.5.17, 6.1.4, 6.2.0
-
None
-
MXS-SPRINT-152
Description
When having certificates with extendedKeyUsage extension set we need the clientAuth (aka TLS Web Client Authentication) set on certificates used in type=server sections, and serverAuth for those in type=listener sections.
We now already had at least two cases where users used a certificate that only had either the server or client auth purpose flag set for both server and listener entries as they either thought "Maxscale is a server" or opposite "Maxscale is not a server".
Right now this only leads to problems at actual connect time. When only the serverAuth flag is set it becomes clear what's wrong pretty quick as the monitor will already run into "unsupported cert purpose" right after startup on trying to connect to backend servers.
Listeners will start up just fine though with a certificate that only has the clientAuth purpose set, and the problem only becomes apparent when actual clients try to connect and TLS handshake fails with "unsupported cert purpose" upon receiving and verifying the server certificate.
Would be nice if maxscale would check the listner certificate(s) right on router startup to check whether the certificate(s) is(are) valid for intended purpose.