Your message dated Thu, 25 Oct 2018 17:44:05 -0300
with message-id <20181025204405.GA8368@falared>
and subject line Re: [debian-mysql] Bug#904223: Bug#904223:
mariadb-client-core-10.1: yaSSL certificate validation does not check X509
subject alternative name (ERROR 2026)
has caused the Debian Bug report #904223,
regarding mariadb-client-core-10.1: yaSSL certificate validation does not check
X509 subject alternative name (ERROR 2026)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
904223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904223
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mariadb-client-core-10.1
Version: 1:10.1.29-6+b1
Severity: normal
Dear Maintainer,
I have encountered a problem with certificate validation in the mariadb
client (and library).
$ mysql exampledb -h example.com --ssl-verify-server-cert=true --ssl \
--ssl-ca /tmp/ca_cert.pem
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
This is a known issue:
https://jira.mariadb.org/browse/MDEV-10594
It was fixed, but only for OpenSSL builds. Debian builds default to
using the built-in yaSSL library, which is missing support for X509
subject alternative name validation.
I understand that building with OpenSSL is problematic due to
licensing issues:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787118
Is there any reasonable workaround for this situation?
My original discovery is documented here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892514
Thanks,
Corey
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.17.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mariadb-client-core-10.1 depends on:
ii libaio1 0.3.111-1
ii libc6 2.27-5
ii libncurses6 6.1+20180714-1
ii libpcre3 2:8.39-10
ii libreadline5 5.2+dfsg-3+b2
ii libstdc++6 8.1.0-12
ii libtinfo6 6.1+20180714-1
ii mariadb-common 1:10.1.29-6
ii zlib1g 1:1.2.11.dfsg-1
mariadb-client-core-10.1 recommends no packages.
mariadb-client-core-10.1 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
I am closing this as it is not a bug but a licence consideration and a
YaSSL limitation.
To resume, MariaDB Debian package is build against YaSSL, and YaSSL does
not support Subject Alternative Name verification.
Regards,
Faustin
--- End Message ---
