[MDEV-23747] socket.ssl_ca argument being ignored. Created: 2020-09-17 Updated: 2022-02-19 Resolved: 2022-02-19 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | Galera, SSL |
| Affects Version/s: | 10.4.14 |
| Fix Version/s: | 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2, 10.8.1 |
| Type: | Bug | Priority: | Major |
| Reporter: | Zephaniah Loss-Cutler-Hull | Assignee: | Julius Goryavsky |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||
| Description |
|
In galerautils/src/gu_asio.cpp, function gu::ssl_prepare_context, you have the following bit of code: param = conf::ssl_key; If you note, the load_verify_file call is not actually using the ssl_ca configuration setting, instead it is using the ssl_cert configuration setting again. This means that the only configuration that will work is one where your SSL certificate file contains the issuing CA (and any intermediate certificates due to the use of use_certificate_file instead of use_certificate_chain_file). The most common working configuration is likely one where you have a single self-signed certificate that you copy to all of your servers, which is what the basic guides suggest, but which is... A great distance from any best practices surrounding SSL certificates. If the use_certificate_file call could be updated to use_certificate_chain_file at the same time that would be very, very helpful. |
| Comments |
| Comment by Zephaniah Loss-Cutler-Hull [ 2020-09-17 ] |
|
So, with apologies, I completely misread the code around conf.get with two arguments, and had an unrelated issue keeping things from working. The use_certificate_file vs use_certificate_chain file issue is still a problem, but a much lesser problem. |
| Comment by Julius Goryavsky [ 2022-02-19 ] |
|
There were also problems with the handling of the ssl-ca and ssl-capath parameters, which were finally resolved after merging |