[MDEV-21900] [client] ssl-verify-server-cert no longer allows connecting from root@localhost Created: 2020-03-09  Updated: 2021-11-18  Resolved: 2020-07-27

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Configuration, Plugin - unix_socket
Affects Version/s: 10.3.22, 10.4.12
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Robert Dyas Assignee: Sergei Golubchik
Resolution: Incomplete Votes: 0
Labels: need_feedback
Environment:

centos7

Attachments: PNG File 10.3.png     PNG File 10.6.png    

 Description   

Starting with 10.3.22 if you had
ssl-verify-server-cert
specified in the [client] section of my.cnf connecting as root@localhost would fail. Previously this worked without issue.

Also in 10.4.12 - even if the auth type is unix_socket for root@localhost, it still fails with the SSL error (cannot verify cert) when you try to connect as root@locahost (e.g. sudo mysql)

 Comments   
Comment by Elena Stepanova [ 2020-04-05 ]

For the difference in 10.3.22 – do you mean that it works with 10.3.21, but fails on the same machine with 10.3.22 of the same package type?
I don't see right away any obvious SSL-related changes in 10.3.22.
Which packages are these, RPMs or bintars?
Could you please paste or attach the whole config, server and client? Obviously you can obfuscate whatever you consider confidential, as long as it's still understandable that an option with a certain value was there.

Regarding 10.4.12 – also, please provide the config files and SHOW CREATE USER root@localhost (also edited to obfuscate confidential information, if necessary).

Comment by Robert Dyas [ 2020-04-08 ]

Correct going from 21 to 22 prevents it from connecting.... I've since switched to 10.4.x and using sudo mysql type for localhost.

Comment by Elena Stepanova [ 2020-05-21 ]

serg,
Is it anything you recognize right away?

Comment by Sergei Golubchik [ 2020-05-27 ]

Not right away, but I diffed the history and found this commit: https://github.com/mariadb-corporation/mariadb-connector-c/commit/8e9c31

I think this means that in C/C 3.1.6 ssl-verify-server-cert did not actually verify server cert unless you have also specified ssl-ca or ssl-capath. In C/C 3.1.7 it always tries to verify, and if no ssl-ca or ssl-capath is specified it falls back to the system-wide certificate store.

Also, this commit adds a server test for this feature, in particular this line shows how to add your self-signed cert to the system-wide store, if you'd like to do that.

Comment by Sergei Golubchik [ 2020-05-27 ]

in other words, I suspect (but not yet sure) that this is not a bug. Please confirm and we'll close it.

Comment by Robert Dyas [ 2020-05-27 ]

Note I was using a certificte signed by a public CA (comodo).

Comment by Sergei Golubchik [ 2020-05-29 ]

Did you use --ssl-ca or --ssl-capath?

Comment by jake [ 2021-11-13 ]

I have a remote Mariadb server that uses a Let's Encrypt Cert

so on my client I want to make sure I access that remote server using SSL:

nano /etc/mysql/mariadb.conf.d/z-client.cnf
 
[client]
 
ssl-verify-server-cert=on

so now when I do 

mysql -u remoteuser -p -h remotehost.example.com

it works and connects using SSL! YAY!

BUT WAIT! what if I want to use my client to connect to the local instance of mariadb server instead of the remote instance.....

mormally I would just do it this way and it would connect using the unix socket.

sudo mysql

however because of the client configuration this no longer works:

nano /etc/mysql/mariadb.conf.d/z-client.cnf
 
[client]
 
ssl-verify-server-cert=on

This is not an issue with Mysql-client only mariadb-client.

in mysql client you configure it to use SSL by doing this:

nano /etc/mysql/mysql.conf.d/mysqld.cnf
 
[client]
 
tls_version=TLSv1.2,TLSv1.3

with that in place you can connect to remote hosts using SSL!
BUT you can also still access your local instance of sql server using sudo mysql to use the unix socket!

I am surprised this was closed as its still an issue for me and I am on 10.6.x

Please don't suggest using self signed certs just to use the unix socket.... thats a workaround and not what im looking for, theres no reason to use certs on a unix socket when I am connecting from and to the same machine using sudo mysql

Comment by Sergei Golubchik [ 2021-11-13 ]

The issue was closed as "Incomplete" because it was in the "need_feedback" state for a month and got no feedback. It will be reopened if more info is provided. And this is exactly what you're doing, thanks!

But I don't quite understand what you are saying in your comment. That ssl-verify-server-cert doesn't work when connecting to a local server via unix socket? I cannot repeat that, it my tests mariadb command client connects to a local server, uses unix_socket for authentication, ssl is enabled, ssl-verify-server-cert works fine, ssl-ca or ssl-capath are not used.

Comment by jake [ 2021-11-15 ]

Ah ok I understand why it was closed then. Interesting that your not seeing this issue.

I have attached screenshots of a couple systems with this issue:

Server version: 10.6.5-MariaDB-1:10.6.5+maria~focal
Server version: 10.3.31-MariaDB-0+deb10u1 Raspbian 10

I have to keep

ssl-verify-server-cert=on

so that my connection to REMOTE sql servers use SSL.

connecting using a unix socket to my LOCAL instance of mariadb server(does not have a cert of any kind) does not work, it should not enforce the requrement of the server needing a cert when I am trying to use a unix socket.

I think what your are saying is that your LOCAL mariadb has a cert, and so ssl-verify-server-cert=on works perfectly fine.

what I am saying that my LOCAL mariadb has no cert at all! only my remote mariadb server has a cert (thats the only place I am needing one, as thats the only server accepting remote connections)

so my Local Mariadb server does not have a cert
my Remote Mariadb server does have a cert from let's encrypt.

I have defined ssl-verify-server-cert=on so that my client can connect to the Remote Mariadb server which does have the let's encrypt cert.

because I have defined ssl-verify-server-cert=on my client cannot connect using a unix socket to the Local Mariadb server which does not have a cert of any kind (and does not need a cert because it is not accepting remote connections)

I hope the extra information paints a clearer picture of exactly what the problem is that I am having. This problem does not exist using mysql-client only if using mariadb-client.

mariadb the way you enforce the client to use SSL is by using ssl-verify-server-cert=on

mysql you use tls_version=TLSv1.2,TLSv1.3 instead for the client config.

under mysql you can connect using unix socket to your local sql server even with tls_version=TLSv1.2,TLSv1.3 in place, even if your local sql server does not have a cert! This is the way mariadb-client also used to work, but not anymore.

The goal of all of this is to be able to enforce my client to connect to remote sql servers using SSL, but when im connecting to my local instance using a unix socket, allow me to connect to it.

otherwise on all machines where I use ssl-verify-server-cert=on I would also have to put a cert, regardless if they are accepting remote connections, this seems like a major design flaw as it currently sits.

Comment by jake [ 2021-11-17 ]

In my case I have found an acceptable workaround, im not sure how I missed it.

I enable ssl-verify-server-cert for the client, assuring that connections to remote SQL servers will be encrypted.

nano /etc/mysql/mariadb.conf.d/z-client.cnf
 
 
 
[client]
 
ssl-verify-server-cert=on

And then when I need to connect to my LOCAL mariadb server I can toggle that option as part of the command I use to access mariadb via unix socket

sudo mysql --ssl-verify-server-cert=false

it's not as easy as just being able to type sudo mysql but it works.

Comment by Sergei Golubchik [ 2021-11-18 ]

you can put ssl-verify-server-cert in ~root/.my.cnf then your sudo mysql should work too.

Generated at Thu Feb 08 09:10:41 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.