[debian-mysql] Bug#904223: mariadb-client-core-10.1: yaSSL certificate validation does not check X509 subject alternative name (ERROR 2026)
Corey Hickey
bugfood-c at fatooh.org
Sat Jul 21 21:09:31 BST 2018
Package: mariadb-client-core-10.1
Version: 1:10.1.29-6+b1
Severity: normal
Dear Maintainer,
I have encountered a problem with certificate validation in the mariadb
client (and library).
$ mysql exampledb -h example.com --ssl-verify-server-cert=true --ssl \
--ssl-ca /tmp/ca_cert.pem
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure
This is a known issue:
https://jira.mariadb.org/browse/MDEV-10594
It was fixed, but only for OpenSSL builds. Debian builds default to
using the built-in yaSSL library, which is missing support for X509
subject alternative name validation.
I understand that building with OpenSSL is problematic due to
licensing issues:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787118
Is there any reasonable workaround for this situation?
My original discovery is documented here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892514
Thanks,
Corey
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.17.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mariadb-client-core-10.1 depends on:
ii libaio1 0.3.111-1
ii libc6 2.27-5
ii libncurses6 6.1+20180714-1
ii libpcre3 2:8.39-10
ii libreadline5 5.2+dfsg-3+b2
ii libstdc++6 8.1.0-12
ii libtinfo6 6.1+20180714-1
ii mariadb-common 1:10.1.29-6
ii zlib1g 1:1.2.11.dfsg-1
mariadb-client-core-10.1 recommends no packages.
mariadb-client-core-10.1 suggests no packages.
-- no debconf information
More information about the pkg-mysql-maint
mailing list