Bug #102088 Wrong description about SSL certificates with wildcards
Submitted: 29 Dec 2020 12:46 Modified: 8 Jan 2021 18:13
Reporter: Mitani Satoshi (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:8.0.12 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, tls

[29 Dec 2020 12:46] Mitani Satoshi 
Description:
Below document says  
"Host name identity verification also does not work with certificates that specify the Common Name using wildcards because that name is compared verbatim to the server name. ".

https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html

After MySQL 8.0.12, it looks SSL certificates with wildcards are supported.
This PR enables wildcards support.
https://github.com/mysql/mysql-server/pull/196

How to repeat:
$  /home/vagrant/opt/mysql/mysql_8.0.11/bin/mysql -hdb01.example.com --ssl-ca=/home/vagrant/ssl/ca-cert.pem  --ssl-mode=VERIFY_IDENTITY  -utest -pPass@123
mysql: [Warning] Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

$  /home/vagrant/opt/mysql/mysql_8.0.12/bin/mysql -hdb01.example.com --ssl-ca=/home/vagrant/ssl/ca-cert.pem  --ssl-mode=VERIFY_IDENTITY  -utest -pPass@123
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 24
Server version: 8.0.22 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
/home/vagrant/opt/mysql/mysql_8.0.12/bin/mysql  Ver 8.0.12 for linux-glibc2.12 on x86_64 (MySQL Community Server - GPL)

Connection id:		24
Current database:
Current user:		test@192.168.123.11
SSL:			Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server version:		8.0.22 MySQL Community Server - GPL
Protocol version:	10
Connection:		db01.example.com via TCP/IP
Server characterset:	utf8mb4
Db     characterset:	utf8mb4
Client characterset:	utf8mb4
Conn.  characterset:	utf8mb4
TCP port:		3306
Uptime:			5 min 2 sec

Threads: 2  Questions: 24  Slow queries: 0  Opens: 144  Flush tables: 3  Open tables: 65  Queries per second avg: 0.079
--------------

mysql> show global variables like 'ssl_%';
+---------------+-----------------------------------+
| Variable_name | Value                             |
+---------------+-----------------------------------+
| ssl_ca        | /home/vagrant/ssl/ca-cert.pem     |
| ssl_capath    |                                   |
| ssl_cert      | /home/vagrant/ssl/server-cert.pem |
| ssl_cipher    |                                   |
| ssl_crl       |                                   |
| ssl_crlpath   |                                   |
| ssl_fips_mode | OFF                               |
| ssl_key       | /home/vagrant/ssl/server-key.pem  |
+---------------+-----------------------------------+
8 rows in set (0.00 sec)

$ openssl x509 -text -noout -in /home/vagrant/ssl/server-cert.pem  | head -n11
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=ca.example.com
        Validity
            Not Before: Dec 29 06:23:56 2020 GMT
            Not After : Nov  7 06:23:56 2030 GMT
        Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=*.example.com
        Subject Public Key Info:
[30 Dec 2020 13:55] MySQL Verification Team 
Hello Mitani,

Thank you for the report and feedback.

regards,
Umesh
[8 Jan 2021 18:13] Paul DuBois 
Posted by developer:
 
Thanks, will update the text to indicate this is possible as of MySQL 8.0.12.