[MDEV-18131] MariaDB does not verify IP addresses from subject alternative names Created: 2019-01-03  Updated: 2019-05-22  Resolved: 2019-04-28

Status: Closed
Project: MariaDB Server
Component/s: SSL
Affects Version/s: 10.1.37
Fix Version/s: 10.2.24, 10.1.39, 10.3.15, 10.4.5

Type: Bug Priority: Major
Reporter: Andrew Garner Assignee: Vladislav Vaintroub
Resolution: Fixed Votes: 2
Labels: None

Issue Links:
Relates
relates to CONC-413 C/C may not compare IP address to Sub... Open
relates to MDEV-10594 SSL hostname verification fails for S... Closed
relates to MDEV-18277 Client can't validate server certific... Closed
relates to MDEV-19560 Client may not compare IP address to ... Closed
relates to CONC-250 SSL hostname verification for Subject... Closed

 Description   

We have a certificate with the following subject names:

Subject: CN=127.0.0.1
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, DNS:localhost

When we connect with mysql --host=127.0.0.1 --ssl-ca=ca.pem --ssl-verify-server-cert with MariaDB certificate validation fails:

ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

However, this same command will succeed as is against a recent MySQL 5.7.23+ or Percona Server bin/mysql client. This command also succeeds if the DNS hostname i used ("mysql --host=localhost --protocol=tcp --ssl...")

Offhand it appears that MariaDB only calls X509_check_host, but MySQL / Percona will additionally call X509_check_ip to validate an ip address. It seems that when there is at least one DNS entry in the subject alt name, the verification fails even if the common name would otherwise match.

 Comments   
Comment by Thomas [ 2019-04-18 ]

Is there an ETA on when these fixes will be released? As we have exactly the same problems here sadly..

Thanks

Generated at Thu Feb 08 08:41:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.