[MXS-4450] 6.4 no longer provides full certificate chain in TLS HELLO Created: 2022-12-14  Updated: 2023-03-01  Resolved: 2022-12-14

Status: Closed
Project: MariaDB MaxScale
Component/s: Core
Affects Version/s: 6.4.3
Fix Version/s: 2.5.24, 6.4.5, 22.08.4

Type: Bug Priority: Major
Reporter: Hartmut Holzgraefe Assignee: markus makela
Resolution: Fixed Votes: 0
Labels: None

Attachments: File certs.tar.gz    
Issue Links:
Duplicate
is duplicated by MXS-4455 wireshark doesn't show full chain of ... Closed
Relates

 Description   

Scenario:

  • TLS setup with a root CA certificate, and intermediate CA, and actual certificates signed by the intermediate
  • ca-bundle-cert.pem file contains both the intermediate and the root CA
  • same OS and openSSL version, same certificate files, same mariadb and maxscale configuration, only maxscale version differs
  • Maxscale listener configured using

[Read-Write-Listener]
 
type=listener
 
service=Read-Write-Service
 
protocol=MariaDBClient
 
port=4006
 
ssl=true
 
ssl_ca_cert=/vagrant/files/ssl/ca-bundle-cert.pem
 
ssl_cert=/vagrant/files/ssl/maxscale-cert.pem
 
ssl_key=/vagrant/files/ssl/maxscale-key.pem

Testing TLS connect dialog with 

openssl s_client -starttls mysql --connect=127.0.0.1:4006 --CAfile=/vagrant/files/ssl/ca-bundle-cert.pem

With 6.2.1 it correctly shows the certificate chain:

depth=2 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
 
verify return:1
 
depth=1 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
 
verify return:1
 
depth=0 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
 
verify return:1
 
---
 
Certificate chain
 
 0 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
 
   i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
 
 1 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
 
   i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
 
 2 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
 
   i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
 
---
 
Server certificate
 
-----BEGIN CERTIFICATE-----
 
[...]

With 6.4.3 on the other hand the "Certificate chain" section only shows the maxscale certificate and not the full certification chain:

CONNECTED(00000005)
 
depth=2 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-root.example.org
 
verify return:1
 
depth=1 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
 
verify return:1
 
depth=0 C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
 
verify return:1
 
---
 
Certificate chain
 
 0 s:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = client.example.org
 
   i:C = DE, ST = NRW, L = Bielefeld, O = MariaDB, OU = Support, emailAddress = hartmut@mariadb.com, CN = ca-intermediate.example.org
 
---
 
Server certificate
 
-----BEGIN CERTIFICATE-----
 
[...]


Generated at Thu Feb 08 04:28:44 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.