[CONC-538] Can't connect via SSL Created: 2021-03-26  Updated: 2022-07-25

Status: Open
Project: MariaDB Connector/C
Component/s: TLS/SSL
Affects Version/s: 3.1.11, 3.1.12
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Marco Paland Assignee: Georg Richter
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Server: Binary package mariadb-10.5.9-linux-systemd-x86_64 on Debian buster
Client: Windows 10 mariadb-connector-c 3.1.12 / 3.1.11

Attachments: File ca-cert.pem     File client-cert.pem     File client-key.pem     File server-cert.pem     File server-key.pem    
Issue Links:
Relates
relates to MDEV-25701 Two-way TLS does not work with WolfSS... Confirmed

 Description   

I have a serious problem to SSL connect the mariadb server instance.

The server is a binary package mariadb-10.5.9-linux-systemd-x86_64 on Debian buster.
The client is running on latest Windows 10 64 bit, mariadb-connector-c 3.1.12 / 3.1.11

The according SSL certificates are standard, self-signed and generated after this manual:
https://mariadb.com/kb/en/certificate-creation-with-openssl/ on the server.
Verification of the client/server certs are fine.

SSL connecting using Windows DBeaver (v21.0.1) works fine, DBeaver uses mariadb-connector-J internally. So it proofs, that server and the certs are fine.

I compiled and tried the latest mariadb-connector-c (3.1.12) which gives the following error:
SSL connection error: An unknown error occurred while processing the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN)
Given are client-key.pem, client-cert.pem and ca-cert.pem. ca-folder and ciphers are null (unused).

I tried the same with latest HeidiSQL which uses an older libmariadb.dll version (3.1.7). But same error here.

So I suspect, there's a SSL problem, perhaps in using Schannel.
The error code above gives:

0x80090327
This error translates to "An unknown error occurred while processing the certificate."
This usually means that the server requires SSL client authentication and a new certificate is specified. Check the SSLStatus Event for details.



 Comments   
Comment by Georg Richter [ 2021-03-27 ]

Can you please check if the connection works without client certificates?

Comment by Marco Paland [ 2021-03-27 ]

Without client-cert and client-key (just ca-cert given) the connection works.
You are right, normally, only ca-cert (or server-cert) should be fine to connect the client.
I just thought, client-cert and key are mandatory params.
Does it have any drawbacks not to use the client-cert?

Anyway, IMHO wouldn't it be more consistent to use WolfSSL as TLS lib?
mariadb server is using it and it would be the same code basis for connector-c on different platforms.

Comment by Georg Richter [ 2021-03-28 ]

Client certificate is only required, if the user account was defined with REQUIRE X509, in this case client will send certificate to the server.
WolfSSL can't be used with MariaDB Connector/C since licenses are not compatible (LGPL vs. GPL)

However it would be good to know what exactly fails. If these are self signed certificates, do you mind to attach them to this report?

Comment by Marco Paland [ 2021-03-28 ]

Georg, thanks a lot for giving advice here.

I uploaded the according test files.
REQUIRE X509 or REQUIRE SSL on the according 'ssluser' doesn't make a difference concerning the error result.

Yes, too bad that WolfSSL can't be used, I didn't notice its license.

Generated at Thu Feb 08 03:06:02 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.