Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-4198

MaxScale fails to validate its own certificate when the chain of trust is unknown to OpenSSL

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 6.2.4
    • 2.5.22, 6.4.2
    • Core
    • None

    Description

      When a listener is created with encryption enabled, MaxScale may load extended authentication options from external files: a certificate, its key and a chain of trust. The chain of trust is provided to allow the verification of certificates, issued by authorities that are not known to the underlying encryption layer (e.g., an authority which chain of trust is unknown to OpenSSL).

      During this process there are two errors:

      First, MaxScale tries to verify its own server certificate. This is useless, because this certificate will be presented to the client, which should verify it (if desired). What is important for MaxScale is to be able to verify clients' certificates, not its own. Hence the below check is wrong, because the context that is passed to SSL_CTX_build_cert_chain() is the one with the MaxScale's own certificate (the previous check, calling SSL_CTX_check_private_key() for a match between the certificate and the key, is OK and should remain).

      https://github.com/mariadb-corporation/MaxScale/blob/68800753d4b540ecedb5aefb012805d1a974f31c/server/core/ssl.cc#L217

      Second, if the CA used to issue the MaxScale certificate is unknown to OpenSSL, it will produce an error - even if the appropriate CA chain of trust is loaded by MaxScale from the provided file. There is even a vain attempt to handle this, converting the error to a notice (which is still wrong, because MaxScale does have the proper chain of trust, but OpenSSL does not):

      https://github.com/mariadb-corporation/MaxScale/blob/68800753d4b540ecedb5aefb012805d1a974f31c/server/core/ssl.cc#L222

      I see few ways out of this:

      • Completely remove the call to SSL_CTX_build_cert_chain() as this is wrong to do it in this place for the context specified.
      • Alternatively, make sure OpenSSL is passed the CA chain of trust that MaxScale has loaded so that the validation does succeed.

      PoC:

      • Generate a self-signed CA certificate and key.
      • Generate a CSR for a new certificate.
      • Sign the certificate with the CA.
      • Manually validate the certificate with the CA:

      [root@a1w1 assen.totin]# cd /etc/test/
      [root@a1w1 assen.totin]# ls -l
      total 12
      rw-rr-. 1 root root 2065 Jul 1 13:28 ca.pem
      rw-rr-. 1 root root 1939 Jul 1 13:28 certificate.pem
      rw-rr-. 1 root root 3272 Jul 1 13:28 key.pem
      [root@a1w1 test]# openssl verify -CAfile ca.pem certificate.pem
      certificate.pem: OK

      • Use maxctrl to create a listener with encryption enabled and the certificate, key and chain of trust loaded:

      maxctrl create listener service-3 listener-3 20003 --interface=172.20.2.41 --protocol=mariadbclient ssl=true ssl_cert=/etc/test/certificate.pem ssl_key=/etc/test/key.pem ssl_ca_cert=/etc/test/ca.pem

      • Observe the notice printed to MaxScale error log:

      2022-07-08 13:07:58 notice : (listener-3); OpenSSL reported problems in the certificate chain: error:1414C086:SSL routines:ssl_build_cert_chain:certificate verify failed. This is expected for certificates that do not contain the whole certificate chain.

      Attachments

        Activity

          People

            markus makela markus makela
            assen.totin Assen Totin (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.