Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-4450

6.4 no longer provides full certificate chain in TLS HELLO

    XMLWordPrintable

Details

    Description

      Scenario:

      • TLS setup with a root CA certificate, and intermediate CA, and actual certificates signed by the intermediate
      • ca-bundle-cert.pem file contains both the intermediate and the root CA
      • same OS and openSSL version, same certificate files, same mariadb and maxscale configuration, only maxscale version differs
      • Maxscale listener configured using

      [Read-Write-Listener]
      type=listener
      service=Read-Write-Service
      protocol=MariaDBClient
      port=4006
      ssl=true
      ssl_ca_cert=/vagrant/files/ssl/ca-bundle-cert.pem
      ssl_cert=/vagrant/files/ssl/maxscale-cert.pem
      ssl_key=/vagrant/files/ssl/maxscale-key.pem
      

      Testing TLS connect dialog with

      openssl s_client -starttls mysql --connect=127.0.0.1:4006 --CAfile=/vagrant/files/ssl/ca-bundle-cert.pem 
      

      With 6.2.1 it correctly shows the certificate chain:

      depth=2 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
      verify return:1
      depth=1 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
      verify return:1
      depth=0 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
      verify return:1
      ---
      Certificate chain
       0 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
         i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
       1 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
         i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
       2 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
         i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      [...]
      

      With 6.4.3 on the other hand the "Certificate chain" section only shows the maxscale certificate and not the full certification chain:

      CONNECTED(00000005)
      depth=2 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
      verify return:1
      depth=1 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
      verify return:1
      depth=0 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
      verify return:1
      ---
      Certificate chain
       0 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
         i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
      ---
      Server certificate
      -----BEGIN CERTIFICATE-----
      [...]
      

      Attachments

        1. certs.tar.gz
          17 kB
          Hartmut Holzgraefe

        Issue Links

          Activity

            People

              markus makela markus makela
              hholzgra Hartmut Holzgraefe
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.