mirror of
https://github.com/MariaDB/server.git
synced 2025-01-17 04:22:27 +01:00
c7e68606c0
FOUND Description:- Failure during the validation of CA certificate path which is provided as an option for 'ssl-ca' returns two different errors for YaSSL and OPENSSL. Analysis:- 'ssl-ca', option used for specifying the ssl ca certificate path. Failing to validate this certificate with OPENSSL returns an error, "ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed". While YASSL returns "ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation". Error returned by the OPENSSL is correct since "SSL_CTX_load_verify_locations()" returns 0 (in case of OPENSSL) for the failure and sets error as "SSL_INITERR_BAD_PATHS". In case of YASSL, "SSL_CTX_load_verify_locations()" returns an error number which is less than or equal to 0 in case of error. Error numbers for YASSL is mentioned in the file, 'extra/yassl/include/openssl/ssl.h'(line no : 292). Also 'ssl-ca' does not accept tilde home directory path substitution. Fix:- The condition which checks for the error in the "SSL_CTX_load_verify_locations()" is changed in order to accommodate YASSL as well. A logic is written in "mysql_ssl_set()" in order accept the tilde home directory path substitution for all ssl options.
24 lines
889 B
Text
24 lines
889 B
Text
#
|
|
# Bug#21920657: SSL-CA FAILS SILENTLY IF THE PATH CANNOT BE FOUND
|
|
#
|
|
# try to connect with wrong '--ssl-ca' path : should fail
|
|
ERROR 2026 (HY000): SSL connection error: SSL_CTX_set_default_verify_paths failed
|
|
# try to connect with correct '--ssl-ca' path : should connect
|
|
Variable_name Value
|
|
Ssl_cipher DHE-RSA-AES256-SHA
|
|
#
|
|
# Bug#21920678: SSL-CA DOES NOT ACCEPT ~USER TILDE HOME DIRECTORY
|
|
# PATH SUBSTITUTION
|
|
#
|
|
# try to connect with '--ssl-ca' option using tilde home directoy
|
|
# path substitution : should connect
|
|
Variable_name Value
|
|
Ssl_cipher DHE-RSA-AES256-SHA
|
|
# try to connect with '--ssl-key' option using tilde home directoy
|
|
# path substitution : should connect
|
|
Variable_name Value
|
|
Ssl_cipher DHE-RSA-AES256-SHA
|
|
# try to connect with '--ssl-cert' option using tilde home directoy
|
|
# path substitution : should connect
|
|
Variable_name Value
|
|
Ssl_cipher DHE-RSA-AES256-SHA
|