[#MDEV-15856] mysql client receiving error: sslv3 alert unsupported certificate

[MDEV-15856] mysql client receiving error: sslv3 alert unsupported certificate Created: 2018-04-12 Updated: 2020-08-25 Resolved: 2018-04-17
Status:	Closed
Project:	MariaDB Server
Component/s:	Scripts & Clients, SSL
Affects Version/s:	10.2.14
Fix Version/s:	N/A

Type:

Bug

Priority:

Major

Reporter:

Geoff Montee (Inactive)

Assignee:

Sergei Golubchik

Resolution:

Not a Bug

Votes:

Labels:

ssl

Description

A user is seeing the following error while trying to connect to MariaDB using SSL:

> mysql -h server1 -u dbuser -p --ssl-ca=/etc/my.cnf.d/certs/ca_chain.pem --ssl-cert=/etc/my.cnf.d/certs/server_cert.pem --ssl-key=/etc/my.cnf.d/certs/server_key.pem

Enter password:

ERROR 2026 (HY000): SSL connection error: sslv3 alert unsupported certificate

The certificates are able to be verified by OpenSSL:

> openssl verify -CAfile /etc/my.cnf.d/certs/ca_chain.pem /etc/my.cnf.d/certs/server_cert.pem

/etc/my.cnf.d/certs/server_cert.pem: OK

And the certificates also work with OpenSSL's s_client and s_server tools.

This is on RHEL 7.4 with the following packages:

openssl-libs-1.0.2k-8.el7.x86_64

openssl-1.0.2k-8.el7.x86_64

ssl_cipher is not set to anything.

The certificate uses a 2048 bit RSA key, and it also uses the "Subject Alternative Name" field.

Comments

Comment by Geoff Montee (Inactive) [ 2018-04-17 ]

This happened because the client certificate had the following attribute:

X509v3 Extended Key Usage:

TLS Web Server Authentication

For the certificate to work for client authentication, it needed to be "TLS Web Client Authentication" instead.

Generated at Thu Feb 08 08:24:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-15856] mysql client receiving error: sslv3 alert unsupported certificate Created: 2018-04-12 Updated: 2020-08-25 Resolved: 2018-04-17