[MDEV-10973] X509 verification fails Created: 2016-10-07  Updated: 2017-06-27

Status: Open
Project: MariaDB Server
Component/s: SSL
Affects Version/s: 5.5, 10.0, 10.1, 10.2
Fix Version/s: 10.2

Type: Bug Priority: Minor
Reporter: Georg Richter Assignee: Georg Richter
Resolution: Unresolved Votes: 0
Labels: None


 Description   

X509 verification for subject and issuer is broken:

1) If the client certificate contains utf8-chars (e.g. '/DC=com/L=Москва/DC=example/CN=client')
verification fails due to use of the function 

X509_name_oneline

.

Quote from X509_name_oneline() manpage:
"The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

2. Verification fails if e.g. attribute in cert is in lower case, while it was specified in uppercase with GRANT before (see RFC 5280)

3. Verification fails, if there additional attributes in the certificates:

GRANT ....  REQUIRE ISSUER ISSUER "/CN=cacert/C=FI/ST=Helsinki/O=MariaDB"

but certificate has an additional locality, verification fails, e.g.

 /CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB



 Comments   
Comment by Sergei Golubchik [ 2017-04-24 ]

That's how GRANT works. One needs to specify the exact X509 subject or issuer as returned by X509_NAME_oneline(). This this, basically, the definition of GRANT ... REQUIRE SUBJECT (or ISSUER).

Generated at Thu Feb 08 07:46:20 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.