[CONC-360] Support equivalent of ssl_mode=VERIFY_CA / disableSslHostnameVerification Created: 2018-09-04 Updated: 2023-08-30 Resolved: 2023-08-30 |
|
| Status: | Closed |
| Project: | MariaDB Connector/C |
| Component/s: | TLS/SSL |
| Affects Version/s: | None |
| Fix Version/s: | N/A |
| Type: | Bug | Priority: | Minor |
| Reporter: | Andrew Garner | Assignee: | Georg Richter |
| Resolution: | Won't Fix | Votes: | 1 |
| Labels: | None | ||
| Issue Links: |
|
||||||||
| Description |
|
Currently it seems both CA verification and hostname verification are guarded being the ssl_verify_server_cert option, so an application cannot verify the CA independently of hostname verification. So this is a feature request to be able to disable hostname verification while still being able to perform peer certificate verification. This is akin to ssl_mode=VERIFY_CA or perhaps the MariaDB connector/j's disableSslHostnameVerification option. In some environments the subject names on a certificate are not terribly interesting, but we would like the client to verify the server's certificate against some provided CA which seems impossible today when using the MariaDB Connector/C. |
| Comments |
| Comment by Sergei Golubchik [ 2018-09-04 ] |
|
As far as I understand, not verifying the hostname opens you to MitM attacks. A man in the middle can replace the certificate with a valid but different certificate and decrypt all the traffic. Basically, verifying only the CA without the hostname is as safe as not verifying anything at all. |