Bug#892514: libdbd-mysql-perl: 4.046-1 SSL certificate validation failure

[Corey Hickey]

The problem in more detail is that when the server hostname is listed as
a SubjectAltName ("SAN") in the certificate, then validation fails.
Validation only succeeds if the server hostname is in the CN of the
certificate.

This seems likely to be a bug in the underlying mariadb library. I was
unable to find an exact bug report for this, but I did find two similar
ones:

Bug for mysql, not mariadb:
https://bugs.mysql.com/bug.php?id=68052

Supposedly fixed in mariadb 10.1.23, but I am seeing problems in 10.1.29:
https://jira.mariadb.org/browse/MDEV-10594

I was able to reproduce the problem with the command-line mysql client
as provided by mariadb-client-core-10.1:

$ mysql exampledb -h example.com --ssl-verify-server-cert=true --ssl \
--ssl-ca /tmp/ca_cert.pem
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure


This problem goes away when I upgrade to mariadb-client-core-10.3 from
experimental. Unfortunately, I was unable to do that for
libdbd-mysql-perl, since that requires libmariadbclient18, which is
apparently not provided for mariadb 10.3 in experimental.


$ ldd /usr/lib/x86_64-linux-gnu/perl5/5.26/auto/DBD/mysql/mysql.so
	linux-vdso.so.1 (0x00007ffd9e9f7000)
	libmariadbclient.so.18 => /usr/lib/x86_64-linux-gnu/libmariadbclient.so.18 (0x00007f6bb6452000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f6bb6431000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f6bb6213000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6bb607f000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f6bb607a000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6bb5ebd000)
	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f6bb5d38000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f6bb6c7b000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f6bb5d1e000)


Thanks,
Corey