You've already forked mariadb-connector-c
mirror of
https://github.com/mariadb-corporation/mariadb-connector-c.git
synced 2025-09-11 08:30:59 +03:00
1287c901dc
Peer certificate validation:
Since version 3.4 peer certificate verification is enabled by default.
It can be disabled via `mysql_optionsv`, using option
MYSQL_OPT_SSL_VERIFY_SERVER_CERT:
my_bool verify= 0;
mysql_options(mariadb, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);
Self signed certificates
If the client obtained a self signed peer certificate from MariaDB server
the verification will fail, with the following exceptions:
* If the connection between client and server is considered to be secure:, e.g.
* a unix_socket is used for client server communication
* hostname is localhost (Windows operating system), 127.0.0.1 or ::1
* a specified fingerprint matches the fingerprint of the peer certificate (see below)
* a client can verify the certificate using account password, it's possible if
* account has a password
* authentication plugin is "secure without TLS", that is, one of
mysql_native_password, ed25519 or parsec.
Fingerprint verification of the peer certificate
A fingerprint is a cryptographic hash (SHA-256, SHA-384 or SHA-512) of the peer
certificate's binary data. Even if the fingerprint matches, an expired or
revoked certificate will not be accepted.
For security reasons support for MD5 and SHA1 has been removed.
Technical details:
==================
- Peer certificate verification call was removed from ma_tls_connect, instead it
will be called directly after the handshake succeeded (my_auth.c)
- mysql->net.tls_self_signed_error was replaced by mysql->net.tls_verify_status which
contains the result of the peer certfificate verification:
The verification status can be obtained with mariadb_get_infov using new parameter
MARIADB_TLS_VERIFY_STATUS.
unsigned int tls_verify_status;
mariadb_get_infov(mysql, MARIADB_TLS_VERIFY_STATUS, &tls_verify_status);
The result is a combination of the following flags:
MARIADB_TLS_VERIFY_OK 0
MARIADB_TLS_VERIFY_TRUST 1
MARIADB_TLS_VERIFY_HOST 2
MARIADB_TLS_VERIFY_PERIOD 4
MARIADB_TLS_VERIFY_FINGERPRINT 8
MARIADB_TLS_VERIFY_REVOKED 16
MARIADB_TLS_VERIFY_UNKNOWN 32
- GnuTLS peer certificate verification callback was removed and replaced by
gnutls_verify_peers2() api function, so the peer certificate validation
will happen after handshake.
- OpenSSL implementation will no longer use SSL_verify_result to check the
validity of the peer certificate. Instead a callback function will be called
during the handshake, which collects all certificate validation errors.
- If the peer certificate is not trusted, hostname verification will be
skipped.
- Testing
Added new test tls, which implements a python based dummy server, which allows
to set different certificates and TLS options. Please note. that tests are
expected to fail, since the server doesn't support further steps like user
authentication etc. after the handshake. Prerequisite for running the tls test
is Python3.
129 lines
7.5 KiB
Plaintext
Executable File
129 lines
7.5 KiB
Plaintext
Executable File
Certificate:
|
|
Data:
|
|
Version: 3 (0x2)
|
|
Serial Number: 1 (0x1)
|
|
Signature Algorithm: sha256WithRSAEncryption
|
|
Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB
|
|
Validity
|
|
Not Before: Mar 3 03:03:03 2020 GMT
|
|
Not After : Feb 27 03:03:03 2040 GMT
|
|
Subject: C=FI, ST=state or province within country, in other certificates in this file it is the same as L, L=location, usually an address but often ambiguously used, O=organization name, typically a company name, OU=organizational unit name, a division name within an organization, CN=localhost
|
|
Subject Public Key Info:
|
|
Public Key Algorithm: rsaEncryption
|
|
RSA Public-Key: (4096 bit)
|
|
Modulus:
|
|
00:c9:f9:46:27:69:68:4b:5a:26:dd:1f:98:0f:44:
|
|
ba:40:83:ca:82:c2:7a:53:cc:b9:30:f1:ca:3e:e2:
|
|
6d:de:3a:11:aa:ce:c5:90:27:e6:f3:4f:3b:e9:af:
|
|
1a:ec:21:d7:ca:14:1f:f1:9b:cb:cd:7e:57:b4:c8:
|
|
5d:6c:cd:5a:54:dd:8a:9a:a9:27:ef:49:d3:6c:ac:
|
|
99:2d:dc:e5:c0:1e:3c:05:9f:c5:04:c7:2d:81:66:
|
|
21:27:16:d6:c3:e4:97:53:db:21:a6:43:50:70:cb:
|
|
2e:95:fb:da:52:55:27:1b:17:ef:19:83:eb:ff:a1:
|
|
fc:62:63:ea:2f:fe:53:35:e6:d9:bc:03:2d:e5:c2:
|
|
18:b1:29:91:e4:a4:79:2c:f1:05:dd:d5:3f:ff:b1:
|
|
9e:64:8d:60:29:74:43:f0:3d:31:e7:78:ce:9f:17:
|
|
74:e5:9f:fb:7b:69:a9:45:3b:e8:76:03:c6:ca:52:
|
|
85:84:50:0d:2b:98:6f:ff:d8:41:66:6d:39:f6:1a:
|
|
a3:61:e2:82:5f:dc:ec:ca:97:dc:b2:dc:cf:aa:97:
|
|
ef:13:10:ea:fb:8f:99:91:bb:d9:e8:61:25:2d:68:
|
|
04:af:2f:89:56:0d:89:90:77:e0:ad:c2:25:eb:3c:
|
|
d2:4e:3d:ca:6e:ae:35:c8:f2:94:7a:09:74:d3:8e:
|
|
73:30:e6:39:fe:b6:9c:c7:4d:23:4e:b0:bf:90:97:
|
|
29:b2:b3:30:b2:bb:49:ae:47:09:fe:cd:23:3a:01:
|
|
a4:ac:cb:53:25:74:98:27:20:85:6b:18:74:bb:1c:
|
|
bf:ff:05:dc:06:7c:02:78:81:1e:96:ad:8f:c6:a2:
|
|
0d:b3:5c:8e:ad:d5:fd:af:c5:8d:8b:9f:31:b1:4f:
|
|
a7:1e:9b:cd:57:68:d5:ad:ed:4e:7b:5f:0d:0c:d2:
|
|
47:85:b4:65:4b:23:1c:5b:a5:ec:88:fa:42:80:73:
|
|
84:cb:75:05:a6:39:f1:e6:a9:4e:15:e6:2f:f7:61:
|
|
0b:f3:08:cc:a6:2b:2b:64:6e:04:a1:fc:da:5e:34:
|
|
ad:7c:54:be:85:e4:ed:64:74:31:30:2a:ed:ab:3e:
|
|
d2:cd:c7:3e:de:18:04:8a:a7:bd:ad:52:74:13:b1:
|
|
b0:7d:4d:7e:87:7b:cb:82:1f:29:11:e1:0e:4b:42:
|
|
2b:83:e8:88:7e:92:80:20:eb:ee:da:d4:dd:1e:9c:
|
|
54:5c:67:a7:00:5f:a1:b7:bf:5d:c0:5a:25:2a:c1:
|
|
1e:7c:93:32:dd:17:c8:02:6d:1a:42:26:f6:50:01:
|
|
4b:df:29:7f:72:f1:90:72:80:8a:ba:2f:8c:86:7d:
|
|
56:45:c5:0e:82:16:d8:29:03:57:87:ce:22:1c:7f:
|
|
31:a8:4f
|
|
Exponent: 65537 (0x10001)
|
|
X509v3 extensions:
|
|
X509v3 Basic Constraints:
|
|
CA:FALSE
|
|
Netscape Comment:
|
|
OpenSSL Generated Certificate
|
|
X509v3 Subject Key Identifier:
|
|
DB:DF:8B:BC:C2:EE:A9:2A:4E:FD:0E:7A:5F:15:CF:94:A3:0C:CA:CC
|
|
X509v3 Authority Key Identifier:
|
|
keyid:4D:FC:7A:19:F3:2B:0C:7D:F6:C0:7C:4D:F8:72:34:4C:8C:35:52:74
|
|
|
|
Signature Algorithm: sha256WithRSAEncryption
|
|
09:d1:af:0e:0b:e8:a2:5e:c8:ee:0a:9f:21:c3:2c:da:a4:38:
|
|
d5:cc:a6:ca:8e:ef:df:94:ab:32:5a:ec:32:84:01:7a:97:bb:
|
|
38:e0:a8:7d:20:d9:ca:51:3d:a3:74:f9:fe:85:14:26:95:37:
|
|
de:2d:74:7e:16:eb:14:14:1b:80:e9:12:54:de:cc:94:cc:38:
|
|
ca:df:9a:d0:ce:3e:6c:f1:de:e8:40:f5:3e:6e:c0:ee:05:50:
|
|
5a:38:4b:97:69:3c:7a:1f:a8:11:67:e5:9a:9e:50:2e:62:e8:
|
|
f8:bf:1a:54:84:ad:9d:0e:1e:ec:64:22:1b:38:85:87:0b:f3:
|
|
c7:47:80:aa:c1:99:72:a5:0d:fd:ce:2c:6e:0d:52:4d:d7:55:
|
|
2f:4e:52:6e:4a:b9:9a:61:34:08:59:d9:30:cc:30:4a:dc:35:
|
|
34:b9:b0:a4:97:a1:b8:d7:ce:ee:63:2d:3a:ad:73:9c:99:49:
|
|
11:0a:04:94:60:97:19:4f:4b:66:d4:fb:bf:14:46:39:27:da:
|
|
01:3f:d8:6a:46:cb:77:12:f2:77:86:3a:45:e1:f7:44:3d:2b:
|
|
3d:e6:26:06:5e:29:20:be:1f:aa:74:43:0c:85:79:e2:14:9c:
|
|
03:bf:49:21:64:7e:c3:4a:7b:a1:60:f6:ce:fb:7c:59:e4:65:
|
|
7c:fb:1e:84:38:53:ec:1f:80:c2:b5:f7:c2:0e:46:19:4b:4d:
|
|
a3:32:6e:59:40:32:9b:6b:2c:bb:fa:1a:89:2e:96:22:71:d5:
|
|
71:92:9b:0d:86:0e:60:60:19:ba:34:22:e1:f1:f3:c9:87:5c:
|
|
5c:f5:d3:52:1c:11:0d:d3:91:7a:6b:bd:6f:cc:ba:78:60:e0:
|
|
20:b4:c2:d1:91:70:5f:74:33:a1:bc:aa:db:d1:35:91:b5:cb:
|
|
46:a8:28:7a:26:fc:8c:6c:64:05:4d:73:f1:00:bb:eb:70:87:
|
|
fd:9f:04:55:8f:7b:00:b1:c0:50:09:3a:58:44:19:a7:bd:f1:
|
|
34:5b:4d:d9:10:6b:d5:38:fa:64:f5:d3:28:4f:c4:23:14:29:
|
|
98:3e:2f:c2:87:6f:69:a0:89:0e:ee:f7:c4:50:9e:33:b9:0a:
|
|
84:f0:c6:38:45:38:91:10:14:ac:c4:03:8e:4b:e2:61:f9:78:
|
|
85:02:b9:c6:d5:c2:9f:ba:ac:21:1a:3a:4e:1a:f8:a9:12:ae:
|
|
67:37:79:ce:ec:94:54:cf:28:c4:33:3b:45:23:d2:cb:37:3b:
|
|
09:ee:e2:c4:9f:12:dc:e3:8f:06:1d:d5:54:b7:73:2c:34:36:
|
|
97:41:91:81:30:06:2c:90:14:9b:aa:4e:33:2a:38:29:f5:3d:
|
|
f4:c7:f2:03:6d:d9:d7:3e
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIGlTCCBH2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQ8wDQYDVQQDDAZjYWNl
|
|
cnQxCzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVs
|
|
c2lua2kxEDAOBgNVBAoMB01hcmlhREIwHhcNMjAwMzAzMDMwMzAzWhcNNDAwMjI3
|
|
MDMwMzAzWjCCAUcxCzAJBgNVBAYTAkZJMWEwXwYDVQQIDFhzdGF0ZSBvciBwcm92
|
|
aW5jZSB3aXRoaW4gY291bnRyeSwgaW4gb3RoZXIgY2VydGlmaWNhdGVzIGluIHRo
|
|
aXMgZmlsZSBpdCBpcyB0aGUgc2FtZSBhcyBMMUAwPgYDVQQHDDdsb2NhdGlvbiwg
|
|
dXN1YWxseSBhbiBhZGRyZXNzIGJ1dCBvZnRlbiBhbWJpZ3VvdXNseSB1c2VkMTQw
|
|
MgYDVQQKDCtvcmdhbml6YXRpb24gbmFtZSwgdHlwaWNhbGx5IGEgY29tcGFueSBu
|
|
YW1lMUkwRwYDVQQLDEBvcmdhbml6YXRpb25hbCB1bml0IG5hbWUsIGEgZGl2aXNp
|
|
b24gbmFtZSB3aXRoaW4gYW4gb3JnYW5pemF0aW9uMRIwEAYDVQQDDAlsb2NhbGhv
|
|
c3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ+UYnaWhLWibdH5gP
|
|
RLpAg8qCwnpTzLkw8co+4m3eOhGqzsWQJ+bzTzvprxrsIdfKFB/xm8vNfle0yF1s
|
|
zVpU3YqaqSfvSdNsrJkt3OXAHjwFn8UExy2BZiEnFtbD5JdT2yGmQ1Bwyy6V+9pS
|
|
VScbF+8Zg+v/ofxiY+ov/lM15tm8Ay3lwhixKZHkpHks8QXd1T//sZ5kjWApdEPw
|
|
PTHneM6fF3Tln/t7aalFO+h2A8bKUoWEUA0rmG//2EFmbTn2GqNh4oJf3OzKl9yy
|
|
3M+ql+8TEOr7j5mRu9noYSUtaASvL4lWDYmQd+CtwiXrPNJOPcpurjXI8pR6CXTT
|
|
jnMw5jn+tpzHTSNOsL+QlymyszCyu0muRwn+zSM6AaSsy1MldJgnIIVrGHS7HL//
|
|
BdwGfAJ4gR6WrY/Gog2zXI6t1f2vxY2LnzGxT6cem81XaNWt7U57Xw0M0keFtGVL
|
|
IxxbpeyI+kKAc4TLdQWmOfHmqU4V5i/3YQvzCMymKytkbgSh/NpeNK18VL6F5O1k
|
|
dDEwKu2rPtLNxz7eGASKp72tUnQTsbB9TX6He8uCHykR4Q5LQiuD6Ih+koAg6+7a
|
|
1N0enFRcZ6cAX6G3v13AWiUqwR58kzLdF8gCbRpCJvZQAUvfKX9y8ZBygIq6L4yG
|
|
fVZFxQ6CFtgpA1eHziIcfzGoTwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG
|
|
+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
|
|
29+LvMLuqSpO/Q56XxXPlKMMyswwHwYDVR0jBBgwFoAUTfx6GfMrDH32wHxN+HI0
|
|
TIw1UnQwDQYJKoZIhvcNAQELBQADggIBAAnRrw4L6KJeyO4KnyHDLNqkONXMpsqO
|
|
79+UqzJa7DKEAXqXuzjgqH0g2cpRPaN0+f6FFCaVN94tdH4W6xQUG4DpElTezJTM
|
|
OMrfmtDOPmzx3uhA9T5uwO4FUFo4S5dpPHofqBFn5ZqeUC5i6Pi/GlSErZ0OHuxk
|
|
Ihs4hYcL88dHgKrBmXKlDf3OLG4NUk3XVS9OUm5KuZphNAhZ2TDMMErcNTS5sKSX
|
|
objXzu5jLTqtc5yZSREKBJRglxlPS2bU+78URjkn2gE/2GpGy3cS8neGOkXh90Q9
|
|
Kz3mJgZeKSC+H6p0QwyFeeIUnAO/SSFkfsNKe6Fg9s77fFnkZXz7HoQ4U+wfgMK1
|
|
98IORhlLTaMybllAMptrLLv6GokuliJx1XGSmw2GDmBgGbo0IuHx88mHXFz101Ic
|
|
EQ3TkXprvW/Munhg4CC0wtGRcF90M6G8qtvRNZG1y0aoKHom/IxsZAVNc/EAu+tw
|
|
h/2fBFWPewCxwFAJOlhEGae98TRbTdkQa9U4+mT10yhPxCMUKZg+L8KHb2mgiQ7u
|
|
98RQnjO5CoTwxjhFOJEQFKzEA45L4mH5eIUCucbVwp+6rCEaOk4a+KkSrmc3ec7s
|
|
lFTPKMQzO0Uj0ss3Ownu4sSfEtzjjwYd1VS3cyw0NpdBkYEwBiyQFJuqTjMqOCn1
|
|
PfTH8gNt2dc+
|
|
-----END CERTIFICATE-----
|