Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-3931

Check certificates with extendedKeyUsage options set for correct purpose flags

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.5.17, 6.1.4, 6.2.0
    • Fix Version/s: 2.5.20, 6.2.3
    • Component/s: Core
    • Labels:
      None
    • Sprint:
      MXS-SPRINT-152

      Description

      When having certificates with extendedKeyUsage extension set we need the clientAuth (aka TLS Web Client Authentication) set on certificates used in type=server sections, and serverAuth for those in type=listener sections.

      We now already had at least two cases where users used a certificate that only had either the server or client auth purpose flag set for both server and listener entries as they either thought "Maxscale is a server" or opposite "Maxscale is not a server".

      Right now this only leads to problems at actual connect time. When only the serverAuth flag is set it becomes clear what's wrong pretty quick as the monitor will already run into "unsupported cert purpose" right after startup on trying to connect to backend servers.

      Listeners will start up just fine though with a certificate that only has the clientAuth purpose set, and the problem only becomes apparent when actual clients try to connect and TLS handshake fails with "unsupported cert purpose" upon receiving and verifying the server certificate.

      Would be nice if maxscale would check the listner certificate(s) right on router startup to check whether the certificate(s) is(are) valid for intended purpose.

        Attachments

          Activity

            People

            Assignee:
            markus makela markus makela
            Reporter:
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.