[MDEV-29811] server advertises ssl even if it's unusable Created: 2022-10-17  Updated: 2023-11-23  Resolved: 2022-10-25

Status: Closed
Project: MariaDB Server
Component/s: Server, SSL
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4, 10.10.2, 10.11.1

Type: Bug Priority: Critical
Reporter: Sergei Golubchik Assignee: Vladislav Vaintroub
Resolution: Fixed Votes: 0
Labels: None

Attachments: File config-file.cnf     File docker-compose.yml    
Issue Links:
Problem/Incident
causes MDEV-30270 ssl_cipher on Non-SSL system results ... Open
causes MDEV-30818 invalid ssl prevents bootstrap Closed

 Description   

if the server is started with --ssl but without properly configured certificates, it will advertise the ssl support in the handshake, but will not actually be able to use it. so a client with --ssl will fail to connect with the ssl error (e.g. "sslv3 alert handshake failure" in OpenSSL).

I think the server should not start if it was requested to use ssl, but it cannot actually do it.

 Comments   
Comment by Oleksandr Byelkin [ 2022-10-25 ]

OK to push

Comment by Ulf Hofemeier [ 2023-01-19 ]

What constitutes properly configured SSL certs? I have attached the config, docker-compose.yml and file system persmissions including a check on the certs that I created and so far I haven't been able to bring up the server with ssl support. Please help. Thanks docker-compose.yml

config-file.cnf

root@93aa8e176fec:/# ls -la /run |grep secrets
drwxr-xr-x 2 root root 4096 Jan 19 17:32 secrets
root@93aa8e176fec:/# ls -la /run/secrets/
total 28
drwxr-xr-x 2 root root 4096 Jan 19 17:32 .
drwxr-xr-x 1 root root 4096 Jan 19 17:32 ..
r------- 1 1000 1000 2122 Jan 19 02:05 ca-cert.pem
r------- 1 1000 1000 16 Jan 19 02:05 db_password.txt
r------- 1 1000 1000 2029 Jan 19 02:05 server-cert.pem
r------- 1 1000 1000 1704 Jan 19 02:05 server-key.pem
root@93aa8e176fec:/#

~/git/pri-fidoiot/component-samples/demo/db/secrets$ openssl verify -CAfile ca-cert.pem server-cert.pem api-user.pem
server-cert.pem: OK
api-user.pem: OK

The error message I'm getting when mariadbd is launched is:
db_1 | 2023-01-19 17:37:14 0 [ERROR] Failed to setup SSL
db_1 | 2023-01-19 17:37:14 0 [ERROR] SSL error: SSL_CTX_set_default_verify_paths failed
db_1 | 2023-01-19 17:37:14 0 [ERROR] Aborting

Comment by Faustin Lammler [ 2023-01-20 ]

Hi uhofemeier!
This is probably not the best place to ask for help since only people subscribed to this issue will receive your questions (that's 5 person currently).
Also, jira.mariadb.org is normally used to report issue and it does not seem to be the case here (probably a mis-configuration).

So, in the future, I encourage you to ask for help via Zulip or via the Mailing list:

See also https://mariadb.org/contribute/#entry-header

My best guess from the error above is that there is a PATH problem with your certificates, if you log into the mariadb container (probably something like `docker exec -it db bash`, can you make sure that certs PATH are correct and that the user that runs mysql can access them (probably mysql)?

Generated at Thu Feb 08 10:11:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.