[MDEV-27681] Broken certificate validation: rsync and mariabackup SSTs fails to extract CN properly Created: 2022-01-30  Updated: 2023-03-03

Status: Open
Project: MariaDB Server
Component/s: Galera SST
Affects Version/s: 10.5.13, 10.6.5
Fix Version/s: 10.5, 10.6

Type: Bug Priority: Major
Reporter: Michal Kozlowski Assignee: Julius Goryavsky
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Debian 11 / 5.10.0-11-amd64
Ubuntu 20.04 / 5.15.1


 Description   

for rsync method, configuration passed to stunnel is

verifyChain = yes
 
checkHost = CN

for mariabackup:

Jan 30 00:10:24 host01.domain.com -wsrep-sst-donor[26004]: Evaluating '/usr//bin/mbstream' -c 'xtrabackup_galera_info' | socat -u stdio openssl-connect:host02.domain.com:4444,cert='/etc/mysql/ssl/cert.pem',key='/etc/mysql/ssl/key.pem',cafile='/etc/mysql/ssl/ca.pem',commonname='CN '; RC=( ${PIPESTATUS[@]} )

After investigation I found that output returned by openssl -subject is

subject=CN = host01.domain.com

both for letsencrypt issued certificates and generated with easyrsa with EASYRSA_DN=cn_only (default),
but exctraction code in wsrep scripts assumes that there will be comma separated list

CN=$("$OPENSSL_BINARY" x509 -noout -subject -in "$tpem" | \
 
                 tr "," "\n" | grep -F 'CN =' | cut -d= -f2 | sed s/^\ // | \
 
                 sed s/\ %//)

so after "tr" it's still `subject=CN = hostname`

The simplest workaround that comes to my mind is replace `tr|grep` part with `grep -Eo 'CN =[^,$]+'`
or, since scripts are written in bash anyway, why not use built in bash magic:

root@host01:~# if [[ `openssl x509 -in /etc/mysql/ssl/cert.pem -noout -subject` =~ CN\ ?=([^,$]+) ]] ; then echo "${BASH_REMATCH[1]}"  ; fi
 
 host01.domain.com


Generated at Thu Feb 08 09:54:46 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.