enterprise-support team mailing list archive

Thread
Date

[Bug 1673656] [NEW] SSL Certificate Subject ALT Names with IPs or DNS: not respected with --ssl-verify-server-cert

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Nickolay Ihalainen <ihanick@xxxxxxxxx>
Date: Fri, 17 Mar 2017 03:05:58 -0000
Reply-to: Bug 1673656 <1673656@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

https://github.com/percona/percona-server/blob/5.6/sql-
common/client.c#L1894-L1898

X509_VERIFY_PARAM_set1_host or X509_VERIFY_PARAM_add1_host or
X509_check_host while checking common name.


Major issue happening with Aurora cluster:

"In order to connect to the cluster endpoint using SSL, your client connection utility must support Subject Alternative Names (SAN). If your client connection utility doesn't support SAN, you can connect directly to the instances in your Aurora DB cluster. For more information on Aurora endpoints, see Aurora Endpoints."
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html


Upstream bug:
https://bugs.mysql.com/bug.php?id=68052

** Affects: mysql-server
     Importance: Unknown
         Status: Unknown

** Affects: percona-server
     Importance: Undecided
         Status: Confirmed

** Affects: percona-server/5.5
     Importance: Undecided
         Status: New

** Affects: percona-server/5.6
     Importance: Undecided
         Status: Confirmed

** Affects: percona-server/5.7
     Importance: Undecided
         Status: Confirmed


** Tags: i177067 ssl upstream

** Bug watch added: MySQL Bug System #68052
   http://bugs.mysql.com/bug.php?id=68052

** Also affects: mysql-server via
   http://bugs.mysql.com/bug.php?id=68052
   Importance: Unknown
       Status: Unknown

** Tags added: i177067

** Also affects: percona-server/5.7
   Importance: Undecided
       Status: Confirmed

** Also affects: percona-server/5.5
   Importance: Undecided
       Status: New

** Also affects: percona-server/5.6
   Importance: Undecided
       Status: New

** Changed in: percona-server/5.6
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to MySQL.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1673656

Title:
  SSL Certificate Subject ALT Names with IPs or DNS: not respected with
  --ssl-verify-server-cert

To manage notifications about this bug go to:
https://bugs.launchpad.net/mysql-server/+bug/1673656/+subscriptions

Follow ups

[Bug 1673656] Re: SSL Certificate Subject ALT Names with IPs or DNS: not respected with --ssl-verify-server-cert
From: Yura Sorokin, 2017-07-18