-1

i have deployed mariadb on Azure with ssl enabled. The server name looks like : somename.mariadb.database.azure.com

i installed mariadb client on my jumpserver. I did nslookup somename.mariadb.database.azure.com and which gives 10.0.4.68.

However when i do :

1. mysql -h somename.mariadb.database.azure.com -u"benighil@somename" -p"I******4" --ssl-verify-server-cert --ssl-ca /home/rootvm/workdir/BaltimoreCyberTrustRoot.crt.pem THEN IT WORKS FINE

2. mysql -h 10.0.4.68 -u"benighil@somename" -p"I******4" --ssl-verify-server-cert --ssl-ca /home/rootvm/workdir/BaltimoreCyberTrustRoot.crt.pem IT DOES NOT WORK

Notice: in 2.

  • i just replaced the DNS by its IP

  • the error i got is :

ERROR 2026 (HY000): SSL connection error: The certificate is NOT trusted. The name in the certificate does not match the expected.

I would like to know why ?

Mohamed
  • 239
  • 1
  • 4
  • 17
  • 1
    Likely your certificate does not contain the IP as a SAN. It probably only contains the FQDN. This is definitely not my area of expertice, but this similar question may help: https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name Note that question was closed as off-topic, so this might be better asked at superuser.com or dba.stackexchange.com (both stackexchange properties). – JNevill Sep 08 '22 at 15:40
  • The hostname must match one of the names in list of SANs. If you accept a certificate that doesn't contain a matching hostname in the SANs then that's a security hole. – President James K. Polk Sep 08 '22 at 16:40
  • It is SAN or CN, not SAN only. – Georg Richter Sep 08 '22 at 17:16
  • [X509_check_host](https://www.openssl.org/docs/man3.0/man3/X509_check_host.html): "...the default is to ignore the subject DN when at least one corresponding subject alternative names is present...". So it only checks the CN if there are no SANs present. – President James K. Polk Sep 08 '22 at 19:56
  • @PresidentJamesK.Polk Yes, according to RFC6125 DN will be ignored if SAN is present. But if there is no SAN, DN will be checked. Even if it's deprecated there are tons of valid certificates using DN. – Georg Richter Sep 08 '22 at 22:02
  • @GeorgRichter: Actually use of the CN has been deprecated for 20 years now, I haven't seen a cert that doesn't use the SAN for a long time now. – President James K. Polk Sep 08 '22 at 22:43

1 Answers1

1

This is the relevant part in source code (MariaDB Connector/C):

if (X509_check_host(cert, mysql->host, 0, 0, 0) != 1
    && X509_check_ip_asc(cert, mysql->host, 0) != 1)
   goto error;

X509_check_host/ip checks if the hostname or IP are in Subject Alternative Name (SAN), or Subject CommonName (CN) - if not an error will be returned.

You can easily check this with openssl command line tool (version 1.1.1 or newer):

openssl s_client --starttls mysql somename.mariadb.database.azure.com:3306

Georg Richter
  • 5,970
  • 2
  • 9
  • 15