database/mariadb
database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-04-18 21:44:20 +03:00
Code

MDEV-35368 Validation of SSL certificate fails for mariadb-backup

Browse Source 
Just like in CONC-712, disable hostname checks for connections
over unix socket. Even for not self-signed certificates.
This commit is contained in:
Sergei Golubchik 2025-01-17 17:54:59 +01:00
parent 25b1c3505f
commit 04bd6ed44c
4 changed files with 44 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mysql-test/suite/mariabackup/backup_ssl_system_ca.opt Normal file
View File

@ -0,0 +1,2 @@
--ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
--ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem

8
mysql-test/suite/mariabackup/backup_ssl_system_ca.result Normal file
View File

@ -0,0 +1,8 @@
#
# MDEV-35368 Validation of SSL certificate fails for mariadb-backup
#
GRANT ALL PRIVILEGES on *.* TO backup_user IDENTIFIED by 'x' REQUIRE SSL;
# localhost, not self-signed cert with a wrong hostname: ok
# tcp, not self-signed cert with a wrong hostname: fails
# tcp, not self-signed cert with a wrong hostname: fails even with a password (no auto-verification)
DROP USER backup_user;

30
mysql-test/suite/mariabackup/backup_ssl_system_ca.test Normal file
View File

@ -0,0 +1,30 @@
source include/not_embedded.inc;
source include/not_windows.inc;
if (`select @@version_ssl_library not like 'OpenSSL%'`) {
skip Needs OpenSSL;
}
--echo #
--echo # MDEV-35368 Validation of SSL certificate fails for mariadb-backup
--echo #
GRANT ALL PRIVILEGES on *.* TO backup_user IDENTIFIED by 'x' REQUIRE SSL;
let $targetdir=$MYSQLTEST_VARDIR/tmp/backup;
let SSL_CERT_DIR=$MYSQL_TMP_DIR;
copy_file $MYSQL_TEST_DIR/std_data/cacert.pem $MYSQL_TMP_DIR/ed1f42db.0;
echo # localhost, not self-signed cert with a wrong hostname: ok;
exec $XTRABACKUP --user=root --socket=$MASTER_MYSOCK --backup --target-dir=$targetdir;
rmdir $targetdir;
echo # tcp, not self-signed cert with a wrong hostname: fails;
error 1;
exec $XTRABACKUP --protocol=tcp --user=root --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
echo # tcp, not self-signed cert with a wrong hostname: fails even with a password (no auto-verification);
error 1;
exec $XTRABACKUP --protocol=tcp --user=backup_user --password=x --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
remove_file $MYSQL_TMP_DIR/ed1f42db.0;
DROP USER backup_user;

7
sql-common/client.c
View File

@ -1587,7 +1587,7 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))
#include <openssl/x509v3.h>
static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr)
static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr, int is_local)
{
SSL *ssl;
X509 *server_cert= NULL;
@ -1628,7 +1628,8 @@ static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr)
mysql->tls_self_signed_error= *errptr= "SSL certificate is self-signed";
break;
case X509_V_OK:
ret_validation= X509_check_host(server_cert, mysql->host,
ret_validation= !is_local &&
X509_check_host(server_cert, mysql->host,
strlen(mysql->host), 0, 0) != 1 &&
X509_check_ip_asc(server_cert, mysql->host, 0) != 1;
*errptr= "SSL certificate validation failure";
@ -2171,7 +2172,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
/* Verify server cert */
if ((!mysql->options.extension ||
!mysql->options.extension->tls_allow_invalid_server_cert) &&
ssl_verify_server_cert(mysql, &cert_error))
ssl_verify_server_cert(mysql, &cert_error, vio_type == VIO_TYPE_SOCKET))
{
set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
ER(CR_SSL_CONNECTION_ERROR), cert_error);