[CONC-447] ERROR 2026 (HY000): SSL connection error: Certificate signature check failed Created: 2019-12-03  Updated: 2020-08-25  Resolved: 2019-12-08

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: 3.1.5
Fix Version/s: 3.1.6

Type: Bug Priority: Critical
Reporter: Vladislav Vaintroub Assignee: Vladislav Vaintroub
Resolution: Fixed Votes: 0
Labels: None


 Description   

https://github.com/HeidiSQL/HeidiSQL/issues/330
also documented in https://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl as
"When using the MySQL command-line interface on Windows, you may receive an error SSL connection error: Certificate signature check failed. If this occurs, replace the --ssl-mode=REQUIRED --ssl-ca=

{filepath}

parameters with --ssl."

SSL certificate chain validation and revocation list handling in Schannel are broken.
--ssl-ca and --ssl-crl do not work as expected in Schannel.

The current handling seems to assume there is a single CA certificate in the ca-certs.pem file, the "issuer". However there many possible imtermediate CA in this file. It also uses the API nobody else is using for similar purposes CertVerifySubjectCertificateContext(). The handling of CRL is equally broken, there seems to be an assumption that there is just a single entry in the crl file.

What other guys are doing (ex. curl and mongodb) - they load all CA certificates and all CRL entries into chain specific memory store, and validate certificate against the store.
Generated at Thu Feb 08 03:05:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.