[MXS-4591] change tls-verify-server-cert default to false Created: 2023-04-20 Updated: 2023-11-07 |
|
| Status: | Open |
| Project: | MariaDB MaxScale |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 23.08 |
| Type: | Bug | Priority: | Major |
| Reporter: | Hartmut Holzgraefe | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Description |
|
To be consistent with mariadb%/mysql% command line tools I'd suggest to change the default for certificate host name verification to "false" instead of "true", as with all our other tools it is an option that needs to be enabled explicitly |
| Comments |
| Comment by Hartmut Holzgraefe [ 2023-04-20 ] |
|
I just learned that maxscale tls-verify-server-cert is not the same as the ssl-verify-server-cert option of server command line tools. Server tools always check the CA chain and whether the current datetime is between the "valid from" and "valid until" timestamps, the ssl-verify-server-cert option only activates the extra server name verification step where the server name the client connected to is checked against the SAN (Server Alternative Names) list in the certificate returned by the server, or the CN (Common Name) entry in the certificate Subject field in absence of the x509 v3 SAN extension. |