Bug #93301 TLS validation with SubjectAlternativeName
Submitted: 22 Nov 2018 19:35 Modified: 13 Mar 2019 17:12
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / C++ Severity:S3 (Non-critical)
Version:8.0.13 OS:Any
Assigned to: CPU Architecture:Any
Tags: tls

[22 Nov 2018 19:35] Daniël van Eeden
Description:
Bug #68052 fixes this for libmysqlclient with the contribution from https://github.com/mysql/mysql-server/pull/196

Looks like the code for Connector/C++ needs updating

How to repeat:
Compare:
mysql-connector-cpp:cdk/foundation/connection_openssl.cc connection_TLS_impl::verify_server_cert()
mysql-server:sql-common/client.cc ssl_verify_server_cert()

Suggested fix:
use X509_check_host()
[23 Nov 2018 8:43] MySQL Verification Team
Hello Daniël,

Thank you for the report.
Verifying based on code comparison.

regards,
Umesh
[13 Mar 2019 17:12] Paul DuBois
Posted by developer:
 
Fixed in 8.0.16.

Previously, for the SSL_MODE_VERIFY_IDENTITY connection option,
Connector/C++ checked whether the host name that it used for
connecting matched the Common Name value in the certificate but not
the Subject Alternative Name value. Now, if used with OpenSSL 1.0.2
or higher, Connector/C++ checks whether the host name matches either
the Subject Alternative Name value or the Common Name value in the
server certificate.