[MDEV-15039] Fix LibreSSL X509 (SSL) certificate hostname checking Created: 2018-01-23  Updated: 2018-05-29  Resolved: 2018-04-04

Status: Closed
Project: MariaDB Server
Component/s: SSL
Affects Version/s: 10.3
Fix Version/s: 10.1.33, 10.2.15, 10.3.6

Type: Bug Priority: Critical
Reporter: Sergey Vojtovich Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: contribution, foundation


 Description   

(Currently) LibreSSL doesn't calculate the string length of the hostname
that's passed to X509_check_host automatically in case namelen/chklen is 0.
This causes server certificate validation to fail when building MariaDB with
LibreSSL.

The proposed fix makes MariaDB determine the string length passed to
X509_check_host. As there are no ill side-effects (OpenSSL's X509_check_host
also simply calls strlen if namelen == 0, see also X509_check_host(3)), this
wasn't wrapped in any #ifdef like constructs.

Please see here for a proposed patch to modify LibreSSL's behavior:
libressl-portable/openbsd#87

 Comments   
Comment by Sergey Vojtovich [ 2018-03-20 ]

Overdue PR.

Generated at Thu Feb 08 08:18:13 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.