Bug #95068 Group Replication does not support SSL wildcard certificates
Submitted: 20 Apr 2019 4:22 Modified: 26 Jun 2019 15:04
Reporter: Andrew Garner Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Group Replication Severity:S4 (Feature request)
Version:8.0.15 OS:Any
Assigned to: CPU Architecture:Any

[20 Apr 2019 4:22] Andrew Garner 
Description:
When configuring group replication with SSL bootstrapping fails with this error in the error log:

2019-04-20T04:14:34.517624Z 0 [ERROR] [MY-011735] [Repl] Plugin group_replication reported: '[GCS] Expected hostname is '*.q-g81.bosh' but found the name 'q-m40n1s0.q-g81.bosh' in the server certificate'
2019-04-20T04:14:34.517810Z 0 [ERROR] [MY-011735] [Repl] Plugin group_replication reported: '[GCS] Error connecting to the local group communication engine instance.'
2019-04-20T04:14:34.532290Z 0 [ERROR] [MY-011735] [Repl] Plugin group_replication reported: '[GCS] The member was unable to join the group. Local port: 4306'

The certificates has the following subjects:

        Subject: CN=*.q-g81.bosh

            X509v3 Subject Alternative Name:
                DNS:*.q-g81.bosh

This certificate works for asynchronous replication, but fails with group replication.

How to repeat:
Attempt to bootstrap group replication using SSL certificates contain a wildcard certificate or a certificate whose hostname is in the subject alternative name, but not the common name.

Suggested fix:
Support X509_check_host instead of a direct string comparison to the certificate common name similar to a "normal" MySQL client connection.
[26 Jun 2019 15:04] Margaret Fisher 
Posted by developer:
 
Changelog entry added for MySQL 8.0.18:

Group Replication rejected server certificates whose Common Name value used a wildcard. The correct comparison method is now used.