MDEV-31855 validate ssl certificates using client password

if the client enabled --ssl-verify-server-cert, then the server certificate is verified as follows: * if --ssl-ca or --ssl-capath were specified, the cert must have a proper signature by the specified CA (or CA in the path) and the cert's hostname must match the server's hostname. If the cert isn't signed or a hostname is wrong - the connection is aborted. * if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches, the connection is allowed, if it doesn't match - aborted. * If the connection uses unix socket or named pipes - it's allowed. (consistent with server's --require-secure-transport behavior) otherwise the cert is still in doubt, we don't know if we can trust it or there's an active MitM in progress. * If the user has provided no password or the server requested an authentication plugin that sends the password in cleartext - the connection is aborted. * Perform the authentication. If the server accepts the password, it'll send SHA2(scramble || password hash || cert fingerprint) with the OK packet. * Verify the SHA2 digest, if it matches - the connection is allowed, otherwise it's aborted.
2025-07-29 05:21:33 +03:00 · 2023-08-21 16:25:56 +02:00
parent 585c096aa5
commit 1ef1bab99e
13 changed files with 196 additions and 18 deletions
--- a/mysql-test/main/mysqldump.result
+++ b/mysql-test/main/mysqldump.result
@ -6666,7 +6666,7 @@ drop table t1;
 mariadb-dump: --xml can't be used with --tab.
 select @@max_connections into @save_max_connections;
 set global max_connections=10;
-mariadb-dump: Got error: 1040: "Too many connections" when trying to connect
+mariadb-dump: Got error: 2002: "Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1040 - Too many connections" when trying to connect
 set global max_connections=300;
 mariadb-dump: Too many connections
 set global max_connections=@save_max_connections;