The Ultimate Guide to High Availability with MariaDB

Comments - Securing Connections for Client and Server

4 years, 1 month ago Tommy Pham
Re: Securing Connections for Client and Server

I have a script that generates self signed certs based on this instruction:

https://mariadb.com/kb/en/certificate-creation-with-openssl/

 # ./self_signed.sh mariadb 1
=============== CA ===============
Generating RSA private key, 4096 bit long modulus (2 primes)
.............................................................................................++++
.....++++
e is 65537 (0x010001)
=============== Server Certificate ===============
Generating a RSA private key
........................................++++
....................++++
writing new private key to 'mariadb_server-key.pem'
-----
writing RSA key
Signature ok
subject=CN = mariadb
Getting CA Private Key
=============== Client Certificate ===============
Generating a RSA private key
.....................................................................................................++++
..............................................................................++++
writing new private key to 'mariadb_client-key.pem'
-----
writing RSA key
Signature ok
subject=CN = mariadb
Getting CA Private Key
=============== Verifying Certificates ===============
mariadb_server-cert.pem: OK
mariadb_client-cert.pem: OK

When connecting with --ssl-verify-server-cert, it fails:

# mysql -p --ssl-cert=mariadb_client-cert.pem --ssl-key=mariadb_client-key.pem --ssl-ca=mariadb_ca-cert.pem --ssl-verify-server-cert
Enter password:
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed

Without server cert verification, I can login OK and the SSL sessions checks out:

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.4.12-MariaDB FreeBSD Ports

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show variables like 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.003 sec)

MariaDB [(none)]> show session status like 'ssl_cipher';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| Ssl_cipher    | TLS_AES_256_GCM_SHA384 |
+---------------+------------------------+
1 row in set (0.005 sec)

MariaDB [(none)]> show session status like 'ssl_version';
+---------------+---------+
| Variable_name | Value   |
+---------------+---------+
| Ssl_version   | TLSv1.3 |
+---------------+---------+
1 row in set (0.004 sec)

Please advise. Thank you.

 
4 years, 1 month ago Sergei Golubchik
Re: Securing Connections for Client and Server

See https://mariadb.com/kb/en/connecting-to-mariadb/#ssl-verify-server-cert

--ssl-verify-server-cert means "Verify server's "Common Name" in its cert against hostname used when connecting"

you have CN=mariadb, but your host name, probably, isn't "mariadb", is it?

 
4 years, 1 month ago Tommy Pham
Re: Securing Connections for Client and Server

Hi Sergei,

Thank you for the feedback. No, it's redacted. The server and client are on the same host of FreeBSD 12.1. I've check the compiled library linking to the OpenSSL:

  1. readelf -a /usr/local/lib/mysql/libmariadbclient.a | grep SSL_init 00000000003e 001a00000004 R_X86_64_PLT32 0000000000000000 OPENSSL_init_ssl + fffffffffffffffc 26: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND OPENSSL_init_ssl
  2. readelf -a /usr/local/lib/mysql/libmariadb.so | grep SSL_init 000000054408 005700000007 R_X86_64_JUMP_SLOT 0000000000000000 OPENSSL_init_ssl + 0 87: 0000000000000000 0 FUNC GLOBAL DEFAULT UND OPENSSL_init_ssl@OPENSSL_1_1_0 (7)

The libmariadb seems to link correctly while the libmariadbclient doesn't. I presume that the server uses libmariadb and the 'mysql' client uses libmariadbclient even though both client and server are compiled from the same source but with different configurations? If that's the case, I'll need to file a bug with the maintainer. By the way, when run the 'mariadb_config' on the client, does it utilizes libmariadbclient or libmariadb because the mariadb_config shows a different OpenSSL version 1.1.1e.

Thanks, Tommy

 
4 years, 1 month ago Sergei Golubchik
Re: Securing Connections for Client and Server

libmariadb.so and libmariadbclient.a are compiled from the same source tree and same settings. One make command compiles both.

The "mysql" client is linked with libmariadbclient.a (you can check with ldd). The server uses neither.

 
4 years, 1 month ago Tommy Pham
Re: Securing Connections for Client and Server

Thank you for the clarification and confirmation regarding my suspicion of "mysql" client linking to libmariadbclient.

 
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.