Bug #97738 cannot use Connector/NET with pem files when account uses "require subject"
Submitted: 21 Nov 2019 18:37 Modified: 6 Feb 2020 22:52
Reporter: Oliver Steinau Email Updates:
Status: No Feedback Impact on me:
Category:Connector / NET Severity:S2 (Serious)
Version:8.0.18 OS:Microsoft Windows (10)
Assigned to: CPU Architecture:Any

[21 Nov 2019 18:37] Oliver Steinau
I have created a client and a server certificate using the auto-generated CA.pem from the MySQL server installation. Also, there is a user created like this:

create user testuser@localhost identified by 'abc' require subject '/C=DE/L=Berlin/O=d2m/CN=d2m-vvk';

I can successfully log in using the mysql command line tool using those certificates like this:

mysql.exe -u testuser -p --ssl-ca=d:/certs/ca.pem --ssl-cert=d:/certs/client-cert.pem --ssl-key=d:/certs/client-key.pem --ssl-mode=verify_ca

However, I cannot use Connector/NET using those certificates. I tried the following:

MySqlConnectionStringBuilder csb2 = new MySqlConnectionStringBuilder {
                Server = "localhost",
                UserID = "testuser",
                Password = "abc",
                SslMode = MySqlSslMode.Required,
                SslCa = @"d:\certs\ca.pem",
                SslCert = @"d:\certs\client-cert.pem",
                SslKey = @"d:\certs\client-key.pem"
MySqlConnection conn = new MySqlConnection(csb2.ToString());

calling "conn.Open()" throws an exception saying:
Authentication to host 'localhost' for user 'testuser' using method 'caching_sha2_password' failed with message: Access denied for user 'testuser'@'localhost' (using password: YES)
(same for SslMode = VerifyCA or VerifyFull).

However, when I convert the certificates to pkcs#12 using:
openssl.exe pkcs12 -export -out client.pfx -inkey client-key.pem -in client-cert.pem -certfile ca.pem

and use the following:
MySqlConnectionStringBuilder csb1 = new MySqlConnectionStringBuilder {
                Database = "xroot",
                Server = "localhost",
                UserID = "testuser",
                Password = "abc",
                SslMode = MySqlSslMode.Required,
                CertificateFile = "d:/certs/client.pfx",
                CertificatePassword = "client-pass"
MySqlConnection conn = new MySqlConnection(csb1.ToString());

, everything works fine.

As a side-node: using SslMode=MySqlSslMode.VerifyCA with the .pfx file throws the following exception: "The remote certificate is invalid according to validation procedures")

Using the certificates in pem format works absolutely fine with Connector/Python, by the way.

How to repeat:
see above code excerpts plus attached files
[21 Nov 2019 18:38] Oliver Steinau

Attachment: ca.pem (application/octet-stream, text), 1.09 KiB.

[21 Nov 2019 18:39] Oliver Steinau
client certificate

Attachment: client-cert.pem (application/octet-stream, text), 1.07 KiB.

[21 Nov 2019 18:39] Oliver Steinau
client key

Attachment: client-key.pem (application/octet-stream, text), 1.66 KiB.

[22 Nov 2019 2:19] Bradley Grainger
It looks like Connector/NET simply uses an empty collection for the client certificates if they're supplied in PEM format: https://github.com/mysql/mysql-connector-net/blob/133dbe5a678d5bd7f1a8adffd7dc28d4f7d20d2b...

This scenario works correctly in https://www.nuget.org/packages/MySqlConnector/ which dynamically creates an X.509 certificate from the client certificate PEM files and uses it for mutual authentication.
[22 Nov 2019 12:50] Oliver Steinau
this is rediculous.

Bradley, thank you for providing a working implementation.
[4 Dec 2019 5:56] Bradley Grainger
This bug may be a duplicate of the second part of bug #95436.
[6 Jan 2020 22:52] MySQL Verification Team
Please check for duplicate with bug https://bugs.mysql.com/bug.php?id=95436. Thanks.
[7 Feb 2020 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".