Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
6.4.3
-
None
Description
Scenario:
- TLS setup with a root CA certificate, and intermediate CA, and actual certificates signed by the intermediate
- ca-bundle-cert.pem file contains both the intermediate and the root CA
- same OS and openSSL version, same certificate files, same mariadb and maxscale configuration, only maxscale version differs
- Maxscale listener configured using
[Read-Write-Listener]
|
type=listener
|
service=Read-Write-Service
|
protocol=MariaDBClient
|
port=4006
|
ssl=true
|
ssl_ca_cert=/vagrant/files/ssl/ca-bundle-cert.pem
|
ssl_cert=/vagrant/files/ssl/maxscale-cert.pem
|
ssl_key=/vagrant/files/ssl/maxscale-key.pem
|
Testing TLS connect dialog with
openssl s_client -starttls mysql --connect=127.0.0.1:4006 --CAfile=/vagrant/files/ssl/ca-bundle-cert.pem
|
With 6.2.1 it correctly shows the certificate chain:
depth=2 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
|
verify return:1
|
depth=1 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
|
verify return:1
|
depth=0 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
|
verify return:1
|
---
|
Certificate chain
|
0 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
|
i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
|
1 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
|
i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
|
2 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
|
i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
|
---
|
Server certificate
|
-----BEGIN CERTIFICATE-----
|
[...]
|
With 6.4.3 on the other hand the "Certificate chain" section only shows the maxscale certificate and not the full certification chain:
CONNECTED(00000005)
|
depth=2 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
|
verify return:1
|
depth=1 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
|
verify return:1
|
depth=0 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
|
verify return:1
|
---
|
Certificate chain
|
0 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
|
i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
|
---
|
Server certificate
|
-----BEGIN CERTIFICATE-----
|
[...]
|
Attachments
Issue Links
- is duplicated by
-
MXS-4455 wireshark doesn't show full chain of CA when connected via maxscale vs connecting directly to the db
- Closed