|
The SSL hostname verification code currently fails to validate server certificates with a SubjectAltName entries.
$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
|
Issuer: O=STEFANY.EU, CN=Certificate Authority
|
Subject: O=STEFANY.EU, CN=dbms1.stefany.eu
|
DNS:dbms2.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
|
$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
|
Issuer: O=STEFANY.EU, CN=Certificate Authority
|
Subject: O=STEFANY.EU, CN=dbms2.stefany.eu
|
DNS:dbms1.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
|
$ sudo openssl x509 -in /etc/pki/tls/certs/mariadb.pem -noout -text | grep -e DNS -e CN
|
Issuer: O=STEFANY.EU, CN=Certificate Authority
|
Subject: O=STEFANY.EU, CN=dbms3.stefany.eu
|
DNS:dbms3.stefany.eu, DNS:galera.stefany.eu, othername:<unsupported>, othername:<unsupported>
|
All versions work with (dbms*):
mysql -h dbms1.stefany.eu -u someuser -p
|
But none works for:
mysql -h galera.stefany.eu -u someuser -p
|
Version 5.5.50 fails to connect as:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
|
while version 10.1.16 fails to connect as:
ERROR 2003 (HY000): Can't connect to MySQL server on 'galera.stefany.eu' (111 "Connection refused")
|
or:
ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 104 "Connection reset by peer"
|
Contents of /etc/my.cnf.d/client.cnf would be as follows:
[...]
|
[client]
|
ssl-ca=/etc/ipa/ca.crt
|
ssl-cipher=TLSv1.2
|
ssl-verify-server-cert
|
[...]
|
|
MDEV_10594.patch