[MDEV-27989] No TLS error for clients when extended key usage does not match Created: 2022-03-03  Updated: 2022-04-11

Status: Open
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 10.6.7
Fix Version/s: 10.6

Type: Bug Priority: Major
Reporter: markus makela Assignee: Georg Richter
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Fedora 35, native 10.6.7 client with server 10.6.7 in docker

Attachments: File ca-key.pem     File ca.pem     File client-cert.pem     File client-key.pem     File mdb-cert.pem     File mdb-key.pem     File server-cert.pem     File server-key.pem    
Issue Links:
Relates
relates to CONC-587 TLS: alerts after handshake not handl... Closed

 Description   

Connecting with certificates that have the wrong extended key usage attributes (serverAuth instead of clientAuth) produces no error message on the client or the database.

[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
 
+---+
 
| 1 |
 
+---+
 
| 1 |
 
+---+
 
[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
 
ERROR 2013 (HY000): Lost connection to server at 'reading authorization packet', system error: 0

The only thing that the server logs is this:

2022-03-03  7:21:59 8 [Warning] Aborted connection 8 to db: 'unconnected' user: 'unauthenticated' host: '127.0.0.1' (This connection closed normally without authentication)

However, if I use the wrong certificate on the server, I get the following error message regardless of the type:

[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
 
ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose
 
[markusjm@monolith ssl-certs]$ mysql -u maxuser -pmaxpwd -h 127.0.0.1 -D test --ssl --ssl-key=server-key.pem --ssl-cert=server-cert.pem --ssl-ca=ca.pem -P 3000 -e "select 1"
 
ERROR 2026 (HY000): SSL connection error: unsupported certificate purpose

The client-cert.pem certificate has:

        X509v3 extensions:
 
            X509v3 Basic Constraints: 
                CA:FALSE
 
            Netscape Cert Type: 
                SSL Client, S/MIME
 
            Netscape Comment: 
                OpenSSL Generated Client Certificate
 
            X509v3 Subject Key Identifier: 
                5D:97:20:0B:30:A6:96:FD:89:C8:AB:92:57:9B:7B:B5:89:06:A8:D0
 
            X509v3 Authority Key Identifier: 
                DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost
 
                serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88
 
 
 
            X509v3 Key Usage: critical
 
                Digital Signature, Non Repudiation, Key Encipherment
 
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
 
            X509v3 Subject Alternative Name: 
                DNS:localhost

The server-cert.pem certificate has:

        X509v3 extensions:
 
            X509v3 Basic Constraints: 
                CA:FALSE
 
            Netscape Cert Type: 
                SSL Server
 
            Netscape Comment: 
                OpenSSL Generated Server Certificate
 
            X509v3 Subject Key Identifier: 
                48:CB:85:39:83:05:43:34:8D:D4:78:0B:20:4B:2B:0E:B8:71:E0:4A
 
            X509v3 Authority Key Identifier: 
                DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost
 
                serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88
 
 
 
            X509v3 Key Usage: critical
 
                Digital Signature, Key Encipherment
 
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
 
            X509v3 Subject Alternative Name: 
                DNS:localhost

The certificate MariaDB is configured with has:

        X509v3 extensions:
 
            X509v3 Basic Constraints: 
                CA:FALSE
 
            Netscape Cert Type: 
                SSL Server
 
            Netscape Comment: 
                OpenSSL Generated Server Certificate
 
            X509v3 Subject Key Identifier: 
                FC:7F:37:42:8F:10:AC:E1:7D:15:8F:16:93:AF:7B:83:81:9B:60:C1
 
            X509v3 Authority Key Identifier: 
                DirName:/C=FI/L=Default City/O=Default Company Ltd/CN=localhost
 
                serial:56:EA:28:16:63:2F:A1:F9:E3:1F:83:23:13:96:19:44:8B:E1:A9:88
 
 
 
            X509v3 Key Usage: critical
 
                Digital Signature, Key Encipherment
 
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
 
            X509v3 Subject Alternative Name: 
                DNS:localhost

Grants for the user:

MariaDB [test]> show grants;
 
+-------------------------------------------------------------------------------------------------------------------------------------------+
 
| Grants for maxuser@127.0.0.1                                                                                                              |
 
+-------------------------------------------------------------------------------------------------------------------------------------------+
 
| GRANT ALL PRIVILEGES ON *.* TO `maxuser`@`127.0.0.1` IDENTIFIED BY PASSWORD '*5EDBD32E469DAE0CE10E6999C3899DEFCB9F12E0' WITH GRANT OPTION |
 
+-------------------------------------------------------------------------------------------------------------------------------------------+
 
1 row in set (0.000 sec)



 Comments   
Comment by markus makela [ 2022-03-07 ]

Attached certs and keys of the CA, client, server and MariaDB.

Comment by Georg Richter [ 2022-03-12 ]

Some observations:

  • The error is only reproducable with OpenSSL (server) and TLS version 1.3
  • TLS version 1.1 and 1.2: error "SSL connection error: fatal alert received: CA is unknown" (GnuTLS) or "SSL connection error: self signed certificate in certificate chain" (OpenSSL) will be returned
  • Client with OpenSSL returns system error 0, with GnuTLS system error 11 (resource temporary unavailable)
  • WolfSSL (server) doesn't show any error and allows to connect
Generated at Thu Feb 08 09:57:12 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.