| Bug #97738 | cannot use Connector/NET with pem files when account uses "require subject" | ||
|---|---|---|---|
| Submitted: | 21 Nov 2019 18:37 | Modified: | 6 Feb 2020 22:52 |
| Reporter: | Oliver Steinau | Email Updates: | |
| Status: | No Feedback | Impact on me: | |
| Category: | Connector / NET | Severity: | S2 (Serious) |
| Version: | 8.0.18 | OS: | Windows (10) |
| Assigned to: | CPU Architecture: | Any | |
[21 Nov 2019 18:39]
Oliver Steinau
client certificate
Attachment: client-cert.pem (application/octet-stream, text), 1.07 KiB.
[21 Nov 2019 18:39]
Oliver Steinau
client key
Attachment: client-key.pem (application/octet-stream, text), 1.66 KiB.
[22 Nov 2019 2:19]
Bradley Grainger
It looks like Connector/NET simply uses an empty collection for the client certificates if they're supplied in PEM format: https://github.com/mysql/mysql-connector-net/blob/133dbe5a678d5bd7f1a8adffd7dc28d4f7d20d2b... This scenario works correctly in https://www.nuget.org/packages/MySqlConnector/ which dynamically creates an X.509 certificate from the client certificate PEM files and uses it for mutual authentication.
[22 Nov 2019 12:50]
Oliver Steinau
this is rediculous. Bradley, thank you for providing a working implementation.
[4 Dec 2019 5:56]
Bradley Grainger
This bug may be a duplicate of the second part of bug #95436.
[6 Jan 2020 22:52]
MySQL Verification Team
Please check for duplicate with bug https://bugs.mysql.com/bug.php?id=95436. Thanks.
[7 Feb 2020 1:00]
Bugs System
No feedback was provided for this bug for over a month, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open".
Description: I have created a client and a server certificate using the auto-generated CA.pem from the MySQL server installation. Also, there is a user created like this: create user testuser@localhost identified by 'abc' require subject '/C=DE/L=Berlin/O=d2m/CN=d2m-vvk'; I can successfully log in using the mysql command line tool using those certificates like this: mysql.exe -u testuser -p --ssl-ca=d:/certs/ca.pem --ssl-cert=d:/certs/client-cert.pem --ssl-key=d:/certs/client-key.pem --ssl-mode=verify_ca However, I cannot use Connector/NET using those certificates. I tried the following: MySqlConnectionStringBuilder csb2 = new MySqlConnectionStringBuilder { Server = "localhost", UserID = "testuser", Password = "abc", SslMode = MySqlSslMode.Required, SslCa = @"d:\certs\ca.pem", SslCert = @"d:\certs\client-cert.pem", SslKey = @"d:\certs\client-key.pem" }; MySqlConnection conn = new MySqlConnection(csb2.ToString()); calling "conn.Open()" throws an exception saying: Authentication to host 'localhost' for user 'testuser' using method 'caching_sha2_password' failed with message: Access denied for user 'testuser'@'localhost' (using password: YES) (same for SslMode = VerifyCA or VerifyFull). However, when I convert the certificates to pkcs#12 using: openssl.exe pkcs12 -export -out client.pfx -inkey client-key.pem -in client-cert.pem -certfile ca.pem and use the following: MySqlConnectionStringBuilder csb1 = new MySqlConnectionStringBuilder { Database = "xroot", Server = "localhost", UserID = "testuser", Password = "abc", SslMode = MySqlSslMode.Required, CertificateFile = "d:/certs/client.pfx", CertificatePassword = "client-pass" }; MySqlConnection conn = new MySqlConnection(csb1.ToString()); conn.Open(); , everything works fine. As a side-node: using SslMode=MySqlSslMode.VerifyCA with the .pfx file throws the following exception: "The remote certificate is invalid according to validation procedures") Using the certificates in pem format works absolutely fine with Connector/Python, by the way. How to repeat: see above code excerpts plus attached files