[#MDEV-32210] Ephemeral certificate missing DN

[MDEV-32210] Ephemeral certificate missing DN Created: 2023-09-20 Updated: 2023-11-21 Resolved: 2023-11-21
Status:	Closed
Project:	MariaDB Server
Component/s:	SSL
Affects Version/s:	11.3.0
Fix Version/s:	N/A

Type:

Bug

Priority:

Critical

Reporter:

Diego Dupin

Assignee:

Sergei Golubchik

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Problem/Incident
is caused by	~~MDEV-31856~~	use ephemeral ssl certificates	Closed
Relates
relates to	~~MDEV-31855~~	validate ssl certificates using clien...	Closed

Description

Since ~~MDEV-31855~~ ephemeral certificates can be issued by server.
Issue is DN is empty, and that isn't permitted according to rfc5280

The issuer field identifies the entity that has signed and issued the
certificate. The issuer field MUST contain a non-empty distinguished
name (DN).

Another problem is that java doesn't permit empty DN in certificates. Resulting certificat parsing throw error :

Caused by: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates

	at java.base/sun.security.x509.X509CertInfo.parse(X509CertInfo.java:656)

	at java.base/sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169)

	at java.base/sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1819)

Comments

Comment by Sergei Golubchik [ 2023-09-22 ]

thanks! pushed into bb-11.3-serg

Generated at Thu Feb 08 10:29:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.