Re: ssl_verify_server_cert against SAN?

Thu, 18 Apr 2019 03:26:04 -0700

Kostya,

they have already a bug open on this as I saw now
https://jira.mariadb.org/browse/MDEV-18131
and I also filed a bug on the TLS cipher string issue from yesterday.
Depending on when this will be resolved I will have to consider alternatives anyway, yes

Thanks for the hints!

-- T

On 18/04/2019 12:15, Kostya Vasilyev via dovecot wrote:
Have you considered any alternatives?

I'm thinking of IPSec to create a secured network encapsulation channel(s) "above" the TCP connection(s).

This would provide encryption with control over cipher(s), and cert validation on both sides (if you used cert auth, not PSK).

-- K


On Thu, Apr 18, 2019, at 12:15 PM, TG Servers via dovecot wrote:
Ok then it seems again a MariaDB issue, they don't check against IP in the SAN it seems, this has nothing to do with ssl_ca setting it seems

host=<ip> port=<port> dbname=<db> user=<user> ssl_verify_server_cert=yes ssl_cipher=TLSv1.2 ssl_ca=/etc/ssl/certs/ca-bundle.crt password=<pwd>
brings up this
Connect failed to database (vmail): SSL connection error: SSL certificate validation failure

host=<host> port=<port> dbname=<db> user=<user> ssl_verify_server_cert=no ssl_cipher=TLSv1.2 ssl_ca=/etc/ssl/certs/ca-bundle.crt password=<pwd> is working

contents from my.cnf :
ssl_cert="/etc/ssl/certs/mysql.pem"
ssl_key="/etc/ssl/certs/mysql.key"
ssl_ca="/etc/ssl/certs/ca-bundle.crt"
ssl_cipher="TLSv1.2"

and from command line
mysql --ssl --ssl-verify-server-cert --host <ip> brings up
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
while
mysql --ssl --ss-verify-server-cert --host <hostname> works

TLS isn't really the domain of MariaDB, they have really a lot of crap going on there, a lot of, sadly...


Thanks


On 18/04/2019 10:52, Aki Tuomi via dovecot wrote:

          

            
On 18 April 2019 11:34 TG Servers via dovecot <dovecot@dovecot.org> wrote:


Hi,
 
 when using ssl_verify_server_cert in mysql connection string, is the cert verified also against SAN (DNS and IP)?
 Because this doesn't seem to work. I get a certification verification error in handshake when connecting via IP. 
 But the cert is good as the connection via IP (and IP in the SAN of the cert) works from other applications verifying.
 
 Thanks.




          

          
Dovecot does consider SAN names too, but for MySQL driver, we use MYSQL_OPT_SSL_VERIFY_SERVER_CERT setting. Then you need to use ssl_ca or ssl_ca_path in the mysql driver config file to point to acceptable CAs.

Aki



        

      

      


      

    

    

  























					Reply via email to