Bug #89578 Contribution: Use native host check from OpenSSL
Submitted: 7 Feb 2018 21:17 Modified: 13 Apr 2018 17:09
Reporter: OCA Admin (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: C API (client library) Severity:S3 (Non-critical)
Version:5.7 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[7 Feb 2018 21:17] OCA Admin
This bug tracks a contribution by Daniël van Eeden (Github user: dveeden) as described in http://github.com/mysql/mysql-server/pull/196

How to repeat:
See description

Suggested fix:
See contribution code attached
[7 Feb 2018 21:17] OCA Admin
Contribution submitted via Github - Use native host check from OpenSSL 
(*) Contribution by Daniël van Eeden (Github dveeden, mysql-server/pull/196#issuecomment-363080713): I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: git_patch_167022308.txt (text/plain), 2.99 KiB.

[8 Feb 2018 4:34] MySQL Verification Team
Hello Daniël,

Thank you for the report and contribution.

[8 Feb 2018 8:01] Daniël van Eeden
Directly related:
Bug #68052 | SSL Certificate Subject ALT Names with IPs not respected with --ssl-verify-serve

Also the version should be 8.0 instead of 5.7
[7 Mar 2018 13:26] Ivo Roylev

In your contribution, calling the X509_check_host() function, you pass the X509_CHECK_FLAG_NO_WILDCARDS parameter.
Is there a reason why you limit the wildcards usage in the certificates?
[8 Mar 2018 11:54] Daniël van Eeden
There is no specific reason to have X509_CHECK_FLAG_NO_WILDCARDS.

However limiting wildcard usage can be a good thing do do from the start.
It is easier to later lift restrictions than put more restrictions in.

See also https://tools.ietf.org/html/rfc6125#section-7.2
[13 Apr 2018 17:09] Paul DuBois
Fixed in 8.0.12.

Previously, the --ssl-verify-server-cert option checked the Subject
value in the certificate but not the Subject Alternative Name value.
Now Subject Alternative Name is supported as well. Thanks to Daniël
van Eeden for the patch.
[13 Apr 2018 17:47] Jonathan Champ
To confirm, I hope you are checking the SAN first and only checking the Common Name as a backup for when the SAN is not defined.

From https://www.digicert.com/subject-alternative-name-compatibility.htm

"If a SSL Certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the Common Name value and seek a match in the SAN list."
[4 Jun 2018 14:56] Paul DuBois
Revised changelog entry:

Previously, for the --ssl-mode=VERIFY_IDENTITY option, the client
checked the Common Name value in the certificate but not the Subject
Alternative Name value. Now the client checks whether the host name
that it uses for connecting matches the Subject Alternative Name
value or the Common Name value in the server certificate. Thanks to
Daniël van Eeden for the patch.