database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-08 14:02:17 +03:00
Code Activity
Files
3.4-ci
mariadb-connector-c/unittest/libmariadb/certs/server-key.pem
Georg Richter 1287c901dc TLS/SSL changes (major rework) 
Peer certificate validation:

Since version 3.4 peer certificate verification is enabled by default.
It can be disabled via `mysql_optionsv`, using option
MYSQL_OPT_SSL_VERIFY_SERVER_CERT:

    my_bool verify= 0;
    mysql_options(mariadb, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);

Self signed certificates

If the client obtained a self signed peer certificate from MariaDB server
the verification will fail, with the following exceptions:

* If the connection between client and server is considered to be secure:, e.g.
  * a unix_socket is used for client server communication
  * hostname is localhost (Windows operating system), 127.0.0.1 or ::1
* a specified fingerprint matches the fingerprint of the peer certificate (see below)
* a client can verify the certificate using account password, it's possible if
  * account has a password
  * authentication plugin is "secure without TLS", that is, one of
    mysql_native_password, ed25519 or parsec.

Fingerprint verification of the peer certificate

A fingerprint is a cryptographic hash (SHA-256, SHA-384 or SHA-512) of the peer
certificate's binary data. Even if the fingerprint matches, an expired or
revoked certificate will not be accepted.

For security reasons support for MD5 and SHA1 has been removed.

Technical details:
==================

- Peer certificate verification call was removed from ma_tls_connect, instead it
  will be called directly after the handshake succeeded (my_auth.c)

- mysql->net.tls_self_signed_error was replaced by mysql->net.tls_verify_status which
  contains the result of the peer certfificate verification:

  The verification status can be obtained with mariadb_get_infov using new parameter
  MARIADB_TLS_VERIFY_STATUS.

  unsigned int tls_verify_status;
  mariadb_get_infov(mysql, MARIADB_TLS_VERIFY_STATUS, &tls_verify_status);

  The result is a combination of the following flags:

  MARIADB_TLS_VERIFY_OK                  0
  MARIADB_TLS_VERIFY_TRUST               1
  MARIADB_TLS_VERIFY_HOST                2
  MARIADB_TLS_VERIFY_PERIOD              4
  MARIADB_TLS_VERIFY_FINGERPRINT         8
  MARIADB_TLS_VERIFY_REVOKED            16
  MARIADB_TLS_VERIFY_UNKNOWN            32

- GnuTLS peer certificate verification callback was removed and replaced by
  gnutls_verify_peers2() api function, so the peer certificate validation
  will happen after handshake.

- OpenSSL implementation will no longer use SSL_verify_result to check the
  validity of the peer certificate. Instead a callback function will be called
  during the handshake, which collects all certificate validation errors.

- If the peer certificate is not trusted, hostname verification will be
  skipped.

- Testing
  Added new test tls, which implements a python based dummy server, which allows
  to set different certificates and TLS options. Please note. that tests are
  expected to fail, since the server doesn't support further steps like user
  authentication etc. after the handshake. Prerequisite for running the tls test
  is Python3.
2024-07-16 13:12:26 +02:00

52 lines
3.2 KiB
Plaintext
Executable File
Raw Permalink Blame History

-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAyflGJ2loS1om3R+YD0S6QIPKgsJ6U8y5MPHKPuJt3joRqs7F
kCfm80876a8a7CHXyhQf8ZvLzX5XtMhdbM1aVN2Kmqkn70nTbKyZLdzlwB48BZ/F
BMctgWYhJxbWw+SXU9shpkNQcMsulfvaUlUnGxfvGYPr/6H8YmPqL/5TNebZvAMt
5cIYsSmR5KR5LPEF3dU//7GeZI1gKXRD8D0x53jOnxd05Z/7e2mpRTvodgPGylKF
hFANK5hv/9hBZm059hqjYeKCX9zsypfcstzPqpfvExDq+4+ZkbvZ6GElLWgEry+J
Vg2JkHfgrcIl6zzSTj3Kbq41yPKUegl0045zMOY5/racx00jTrC/kJcpsrMwsrtJ
rkcJ/s0jOgGkrMtTJXSYJyCFaxh0uxy//wXcBnwCeIEelq2PxqINs1yOrdX9r8WN
i58xsU+nHpvNV2jVre1Oe18NDNJHhbRlSyMcW6XsiPpCgHOEy3UFpjnx5qlOFeYv
92EL8wjMpisrZG4EofzaXjStfFS+heTtZHQxMCrtqz7Szcc+3hgEiqe9rVJ0E7Gw
fU1+h3vLgh8pEeEOS0Irg+iIfpKAIOvu2tTdHpxUXGenAF+ht79dwFolKsEefJMy
3RfIAm0aQib2UAFL3yl/cvGQcoCKui+Mhn1WRcUOghbYKQNXh84iHH8xqE8CAwEA
AQKCAgEAtn2LvKqJ+KOhP+R/ETSpEQfDX7h2rObqYWXmtkECwms3cVzYtzLGgwsR
eEimC7tcbZMXdceuMqM4ffkYKOm2970gsjOrCJNs++FLmlvgH2FyHCbK7lFFNYjg
5Z/GN0OA09zIH6Dsuq1rD0t7bS7RYbKTcDt5bgWftArRG8IwzyAhlbZNry5b/x8v
Wiad8lRoV5KJ++8xzWrL+0i45gV05M+L6cVY8u1FXbIPpqXFmXQ6Fq7PQsjNzZkz
gTiVhwWj/FD/VL9Dy3gjX74tRFMtM9eJxXFg0CFkwX+5GTVFUSyOJvfNoDolFKqs
EHO+rTjMULOWB8FSiZldPJL0wv4P5wEAZ+aqQ4mWsDHVDyACRlmLbOvMriiHrCMj
uDOWQwMsWOc/vCt6WPuNv3PlagACqOGQf0Pj62OcWTJGRzHoOXCw1OMgW3nNgg9X
f5UvXE8nn1hfJMePh6u1BXuOmoyOi2zTIng8ubfE8nw4pw35fkvfkY8BqllUw0XO
Kq5ICr1eqrHJNnicL+ITfiFm7yo0qUPlQnkBA7pCvrNDEdh6mLIEUE/NSqZd2XKB
TZeXLh6/0+djK1899sTsjr75yB1mVc6Jgo0OC4Em6T/u+VKw5LptxAoBnY7et2/7
6oJe8trQDEwBBE0ihwAvlElwG+kUyKS7P01Ow7ctmYzUuDoLgqECggEBAOV6LQ2H
/OfKfgyP/0pM3ngDUC0H49FLIXAKRdY/gLzecPauTleUX1aGOBkfscuHlKjKCllS
qUCHBLyE3bwAK5t0E3aHLtV9gGjNZvi7O6DZHwnMWP5AwN+eW1TASWUKfPVS6uUk
uMzkTkUowDK38EF7iabinSEYmpNxt0G7T4K9pV6O2HgMkKdIHvyxJ0dME3VOgG6m
miYTe2faRDaqRNY2Kn/r1NhSpRKb/iBovFcHLEQpffbtoJs4hzSUa8gk+iTk7WRX
k5a/74nJpB+v1m8ywHEmZ9wFBTCjoVNzBj0f7vZOrs6pP/3niJPEbyi1oK42I1GN
g6J16jgjVv+Q21ECggEBAOFRUVM61Yqz9mt34MqJgp0bqGEShDuFY4kvttAbtHK5
FLYc2Jxvn657jp1r2ksAb6UsDbp92UXmxxTw5H+PWsQ/nbNxmhPfjbjdvhoB4IHr
l3YxgWL9Ex0bi1vB8i/RYEOZs+Q9yyjB7rJqR6gw2jDJ0CQe/RsZUFh4RdzvrWoz
gqddlFUzfkS8KAjvmUA6rOrAgIdYhBRP85gXDtV+bc331q6NH8wu0hkJ0Q6gj0WZ
l/Nu1wWg8goHMuCU5GCDtrjQaXSECCo+XL4+VheGk8ZkDF+EkD4tW0oRKyao1rex
+aZ7IykGikXpMGtoQ+gUyiQzOzodFD5aycfJ+vO0IZ8CggEBANHXREWAWfM3xsYE
E2XFHxZNqU5UTa5AbqY+rpf5X+bV3iSlRfxuMDQ17iyDQBkmtPkYMBh4L09TaDBf
q0fUPAwePAICIgCVkAvF8Gh5BlDS2sAh/isZ2YVjEI9SeosL6TKIjUXWq6qpBy3U
0tROQUQQDNLvnNH75rX3oaVY/J9IfmUWaLp2evyNRdC6ynk3BwAZNfZ5ILK60/km
rYPzdZkQ1RI+/FaIVGzM+rh2LevDImZ+LrLTny7xpSmeo2TU820zbiV4s/yBLTEp
k4xqRcNPfIy7mvOmH5XXu5lMsKLKhcD0OIPAX0T2KX0+fouScwl7dhaIOpwgCXsm
TdLLitECggEAcJMYduUmXC6eKAO1JHyf7a8r6ZQ+zR5QJPLZ/BBbkBY46uRutXpv
5dWF49FHN8H4BiaElXDbZblwLl5NTA5r4zGFsWpI+TTwsjTYDlZxvXfgLQV/B945
9okUj7vPLWUHG79nydm17581i57ePoJqAYZToDh7bVawdgNhpIl7s1wZI1X2Druz
ktQPjKdpglXOn1ue3AC1vRBVPOAIYVLRud7iPEP2ZyXdgvUMpqpB6xxadx4iAIXx
aGFAYkUB9dbZLG20wqpVCgYugD7U9NwgaTcDl5W8G9S9j7wUOzSQUydw/GT5pD3I
SDXCI2fsxb/dX0jZhqeQvbbOqiuYXrrZMQKCAQEAqE3ZWDqhx4obUCkAiSnADnmh
v4/yzeHByCXH71uhou/C+y1f3RQLIZN8oAgnSKpFeAdue3Gwk6BA8FYBjSF2hhrM
LaYkzZ0fhFKhTbNmJ2LVJgFtOO8C/95UWY9tKuToRfndXv+99c1d1o85C97KE7C1
zREnTgIf990e5gx2KQCA5irELpKltu0g1wDfbD6hCxJhuvsg869Q0JcXcktg8c0D
sbJQWZrlr9i7TG6TEs7bWxH77hOdrpPyaRUiELt8ZfJJrrctYaY4ogd8NDctDbma
WJWdco8kyiWauoRBJuJJwRtTTMQ+JBiomOhDb1moQd19lNQiBjW5pTfr92NSVg==
-----END RSA PRIVATE KEY-----
View Git Blame Copy Permalink