[MDEV-5198] SSL connection inconsistency between Linux and Windows XP Created: 2013-10-27  Updated: 2014-01-08  Due: 2013-12-30  Resolved: 2014-01-08

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: 5.5.33a
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Clif Cox (Inactive) Assignee: Elena Stepanova
Resolution: Incomplete Votes: 0
Labels: Client, SSL, Windows
Environment:

Linux 3.5.2 and Windows XP


 Description   

Summery, you can connect to the server from a linux box with the CA public key but not from an XP box using the same Certs.

I generated these certs with TinyCA and exported the client and server certs with both the cert and key in one file. These files end with both.pem. The seperate cert and key files end with cert.pem, and key.pem respectivly.

The Server set up:

mysqld -V
 
mysqld  Ver 5.5.33a-MariaDB-1~squeeze-log for debian-linux-gnu on i686 (mariadb.org binary distribution)

my.cnf Excerpt:

# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
 
#
 
# ssl
 
ssl-ca=/etc/mysql/ssl/CA-cert.pem
 
ssl-cert=/etc/mysql/ssl/mysqld.something.else-both.pem

If you verify the keys with openssl they are fine:

openssl verify -CAfile CA-cert.pem client-cert.pem mysqld.something.else-both.pem
 
client-cert.pem: OK
 
mysqld.something.else-both.pem: OK

In another bug report you ask for examples of it not working when it passes this test; Here ya go.

On the linux client machine everything just works:

mysql -V
 
mysql  Ver 15.1 Distrib 5.5.33a-MariaDB, for debian-linux-gnu (i686) using readline 5.1
 
 
 
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem
 
 
 
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
 
 
 
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem
 
 
 
mysql -h eugeneweb.com --ssl-cert=client-both.pem
 
 
 
mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem

All these connections were tested for SSL like so:

MariaDB [(none)]> show status like 'Ssl_cipher';
 
+---------------+--------------------+
 
| Variable_name | Value              |
 
+---------------+--------------------+
 
| Ssl_cipher    | DHE-RSA-AES256-SHA |
 
+---------------+--------------------+
 
1 row in set (0.03 sec)

Windows XP:

Windows does not work as expected, unless you expect it not to work. 

mysql -V
 
MYSQL  Ver 15.1 Distrib 5.5.33a-MariaDB, for Win32 (x86)
 
 
 
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem
 
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
 
 
 
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem
 
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
 
 
 
mysql -h eugeneweb.com --ssl-cert=client-both.pem

Works.

mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem

Works

mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
 
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

Thanks for any light you can shed on this.

Clif

 Comments   
Comment by Elena Stepanova [ 2013-12-02 ]

Hi,

I tried to re-create the whole thing as close as possible, including XP, 32 bit, Tinyca and all that, only I have Wheezy instead of Squeeze (don't think it should be important); but I wasn't able to reproduce the problem you describe. Everything connects all right for me:

C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" -V
c:\Program Files\MariaDB 5.5\bin\mysql Ver 15.1 Distrib 5.5.33a-MariaDB, for Win32 (x86)

C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" --ssl-cert=client-cert.pem --ssl-key=client-key2.pem --ssl-ca=CA-cert.pem --host=192.168.100.10 -utest
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 33
Server version: 5.5.33a-MariaDB-1~wheezy mariadb.org binary distribution

Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show status like 'ssl_cipher';
---------------------------------+

Variable_name Value

---------------------------------+

Ssl_cipher DHE-RSA-AES256-SHA

---------------------------------+
1 row in set (0.02 sec)

However, I can easily get the very same error if I provide a wrong path to the CA file:

C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" --ssl-cert=client-cert.pem --ssl-key=client-key2.pem --ssl-ca=non-existing-ca.pem --host=192.168.100.10 -utest
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

So, as obvious as it sounds, could you please double-check that the file you pass in ssl-ca option indeed exists on the Windows machine, and is not corrupted. If everything is in place and you still get the error, please either provide the exact instructions, step-by-step, on how you create the certs with Tinyca, including the data to fill in the forms (of course if it's private it needs to be obfuscated); or please attach the set of certs that causes the problem (again, with obfuscated data if necessary).

Thanks.

Comment by Elena Stepanova [ 2014-01-08 ]

Closing for now as incomplete, if you have more information to reply to the previous comment, please do so, and we will re-open the report.

Generated at Thu Feb 08 07:02:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.