Skip to content

Commit

Permalink
MDEV-10594 SSL hostname verification fails for SubjectAltNames
Browse files Browse the repository at this point in the history 
use X509_check_host for OpenSSL 1.0.2+
This adds:
* support for subjectAltNames
* wildcards
* sub-domain matching
  • Loading branch information
@vuvova
vuvova committed Apr 27, 2017
1 parent b8c8405 commit 1b27c25
Show file tree
Hide file tree
Showing 6 changed files with 103 additions and 10 deletions.
7 changes: 7 additions & 0 deletions mysql-test/lib/generate-ssl-certs.sh
View file
Expand Up @@ -29,4 +29,11 @@ openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -
openssl rsa -in client-key.pem -out client-key.pem
openssl ca -keyfile cakey.pem -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem

# with SubjectAltName, only for OpenSSL 1.0.2+
cat > demoCA/sanext.conf <<EOF
subjectAltName=DNS:localhost
EOF
openssl req -newkey rsa:1024 -keyout serversan-key.pem -out demoCA/serversan-req.pem -days 7300 -nodes -subj '/CN=server/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB'
openssl ca -keyfile cakey.pem -extfile demoCA/sanext.conf -days 7300 -batch -cert cacert.pem -policy policy_anything -out serversan-cert.pem -infiles demoCA/serversan-req.pem

rm -rf demoCA
60 changes: 60 additions & 0 deletions mysql-test/std_data/serversan-cert.pem
View file
@@ -0,0 +1,60 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=cacert, C=FI, ST=Helsinki, L=Helsinki, O=MariaDB
Validity
Not Before: Apr 25 20:52:33 2017 GMT
Not After : Apr 20 20:52:33 2037 GMT
Subject: C=FI, ST=Helsinki, L=Helsinki, O=MariaDB, CN=server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a7:74:d4:2b:80:cb:96:08:2a:b9:c2:87:18:0d:
69:2b:da:cf:ef:21:cb:05:d4:80:2c:f3:85:bc:78:
b2:42:d9:9f:f1:dc:47:68:c5:af:5a:c9:01:f0:dd:
91:cb:3a:b9:38:b2:36:6b:a3:66:ef:cd:44:0f:8f:
39:57:60:ad:3b:44:33:51:c2:7f:cb:5c:8d:55:b8:
1e:e8:80:e0:ed:9d:8d:10:7a:42:68:73:06:63:83:
ce:db:05:5b:e1:7b:f9:0e:87:20:38:b8:11:6a:b7:
59:3d:4a:ca:cb:60:e6:e1:73:d9:a2:24:4a:70:93:
5e:cf:d5:04:d5:ad:ac:96:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost
Signature Algorithm: sha256WithRSAEncryption
4b:78:d9:09:4c:25:cc:fb:17:8f:31:13:ac:d7:36:2d:5f:d4:
ce:94:84:d2:a7:fa:e2:1e:ae:b6:72:1f:01:56:0f:89:80:c0:
01:ba:ad:d7:cb:24:c5:25:ec:f8:35:ac:52:1b:4f:af:7c:26:
8d:d4:d4:91:05:21:b7:ba:3f:6b:1b:8d:1d:a5:6b:7e:7d:be:
2f:6a:09:83:c2:c3:6c:2f:8a:31:fa:7b:36:3f:6d:e1:62:ca:
a0:3c:43:b8:53:5a:4a:b3:4d:7a:cb:9c:6e:db:a4:ce:a1:95:
5e:26:d8:22:39:8c:34:0e:92:bd:87:a2:b1:7a:68:25:57:17:
b2:d8:43:3b:98:e4:80:6b:7d:3e:ab:32:82:6d:b8:80:45:83:
d6:55:f8:cd:31:74:17:8c:42:75:09:71:66:b9:e0:94:16:ca:
1d:db:1e:89:12:a1:9f:00:cb:83:99:5d:5d:28:7a:df:2a:87:
b5:8d:f1:9c:b9:89:2a:0d:6c:af:61:00:41:cb:03:df:99:4a:
fe:93:81:88:ff:47:4e:2a:b5:2b:bf:85:0f:9a:21:7b:20:58:
7a:1c:67:b5:8b:da:db:03:69:25:db:76:0e:f9:23:57:8d:8a:
47:dc:15:16:7c:2d:66:8f:6a:10:f3:b2:ea:2e:31:c6:d4:2c:
90:15:56:f4
-----BEGIN CERTIFICATE-----
MIICuzCCAaOgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBWMQ8wDQYDVQQDDAZjYWNl
cnQxCzAJBgNVBAYTAkZJMREwDwYDVQQIDAhIZWxzaW5raTERMA8GA1UEBwwISGVs
c2lua2kxEDAOBgNVBAoMB01hcmlhREIwHhcNMTcwNDI1MjA1MjMzWhcNMzcwNDIw
MjA1MjMzWjBWMQswCQYDVQQGEwJGSTERMA8GA1UECAwISGVsc2lua2kxETAPBgNV
BAcMCEhlbHNpbmtpMRAwDgYDVQQKDAdNYXJpYURCMQ8wDQYDVQQDDAZzZXJ2ZXIw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKd01CuAy5YIKrnChxgNaSvaz+8h
ywXUgCzzhbx4skLZn/HcR2jFr1rJAfDdkcs6uTiyNmujZu/NRA+POVdgrTtEM1HC
f8tcjVW4HuiA4O2djRB6QmhzBmODztsFW+F7+Q6HIDi4EWq3WT1Kystg5uFz2aIk
SnCTXs/VBNWtrJalAgMBAAGjGDAWMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkq
hkiG9w0BAQsFAAOCAQEAS3jZCUwlzPsXjzETrNc2LV/UzpSE0qf64h6utnIfAVYP
iYDAAbqt18skxSXs+DWsUhtPr3wmjdTUkQUht7o/axuNHaVrfn2+L2oJg8LDbC+K
Mfp7Nj9t4WLKoDxDuFNaSrNNesucbtukzqGVXibYIjmMNA6SvYeisXpoJVcXsthD
O5jkgGt9Pqsygm24gEWD1lX4zTF0F4xCdQlxZrnglBbKHdseiRKhnwDLg5ldXSh6
3yqHtY3xnLmJKg1sr2EAQcsD35lK/pOBiP9HTiq1K7+FD5oheyBYehxntYva2wNp
Jdt2DvkjV42KR9wVFnwtZo9qEPOy6i4xxtQskBVW9A==
-----END CERTIFICATE-----
16 changes: 16 additions & 0 deletions mysql-test/std_data/serversan-key.pem
View file
@@ -0,0 +1,16 @@
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKd01CuAy5YIKrnC
hxgNaSvaz+8hywXUgCzzhbx4skLZn/HcR2jFr1rJAfDdkcs6uTiyNmujZu/NRA+P
OVdgrTtEM1HCf8tcjVW4HuiA4O2djRB6QmhzBmODztsFW+F7+Q6HIDi4EWq3WT1K
ystg5uFz2aIkSnCTXs/VBNWtrJalAgMBAAECgYBReSgZmmpzLroK8zhjXXMEIUv1
3w02YvOR61HwJxEkMVn+hNxBf50XoKDPHh5nMMUZbqvHpxLYLZilsVuGxcTCPVzw
YxTooPcJY8x61oUclI2Ls5czu/OfzoJhA9ESaFn6e4xReUFmNi8ygTMuPReZZ90T
ZvDikonKtCCk99MSaQJBANrmlPtfY57KJ18f1TqLvqy73I1vQjffSOrK3deYbvvB
jUJ79G9Wzj8Hje2y+XkkK+OIPcND1DnoTCTuqVazn+cCQQDD1jy8zrVg/JEPhQkS
BM7nvm4PIb0cgTPrOhsHDIF4hbaAZnA0N4ZEJ2q7YitXfOeR98x+aH/WJOrzzhmE
VXOTAkBQ4lK6b4zH57qUk5aeg3R5LxFX0XyOWJsA5uUB/PlFXUdtAZBYc6LR92Ci
LDeyY4M0F+t6c12/5+3615UKzGSRAkA+SGV6utcOqGTOJcZTt7nCFFtWbqmBZkoH
1qv/2udWWFhJj8rBoKMQC+UzAS69nVjcoI2l6kA17/nVXkfZQYAHAkEAmOHCZCVQ
9CCYTJICvoZR2euUYdnatLN8d2/ARWjzcRDTdS82P2oscATwAsvJxsphDmbOmVWP
Hfy1t8OOCHKYAQ==
-----END PRIVATE KEY-----
4 changes: 4 additions & 0 deletions mysql-test/suite.pm
View file
Expand Up @@ -66,6 +66,10 @@ sub skip_combinations {
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
and $1 ge "1.0.1d";

$skip{'t/ssl_7937.combinations'} = [ 'x509v3' ]
unless $::mysqld_variables{'version-ssl-library'} =~ /OpenSSL (\S+)/
and $1 ge "1.0.2";

%skip;
}

Expand Down
5 changes: 5 additions & 0 deletions mysql-test/t/ssl_7937.combinations
View file
@@ -1,3 +1,8 @@
[x509v3]
--loose-enable-ssl
--loose-ssl-cert=$MYSQL_TEST_DIR/std_data/serversan-cert.pem
--loose-ssl-key=$MYSQL_TEST_DIR/std_data/serversan-key.pem

[ssl]
--loose-enable-ssl

Expand Down
21 changes: 11 additions & 10 deletions sql-common/client.c
View file
Expand Up @@ -1768,15 +1768,22 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))

#if defined(HAVE_OPENSSL)

#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL)

This comment has been minimized.

Sign in to view

Copy link
@9EOR9

9EOR9 May 7, 2017

Contributor

X509_check_host isn't available in LibreSSL

should be
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(HAVE_YASSL) && !defined(LIBRESSL_VERSION_NUMBER)

This comment has been minimized.

Sign in to view

Copy link
@vuvova

vuvova May 7, 2017

Author Member

Thanks. In 10.1 it wasn't an issue, I'll fix in 10.2
#include <openssl/x509v3.h>
#define HAVE_X509_check_host
#endif

static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const char **errptr)
{
SSL *ssl;
X509 *server_cert= NULL;
#ifndef HAVE_X509_check_host
char *cn= NULL;
int cn_loc= -1;
ASN1_STRING *cn_asn1= NULL;
X509_NAME_ENTRY *cn_entry= NULL;
X509_NAME *subject= NULL;
#endif
int ret_validation= 1;

DBUG_ENTER("ssl_verify_server_cert");
Expand Down Expand Up @@ -1811,22 +1818,16 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
are what we expect.
*/

/*
Some notes for future development
We should check host name in alternative name first and then if needed check in common name.
Currently yssl doesn't support alternative name.
openssl 1.0.2 support X509_check_host method for host name validation, we may need to start using
X509_check_host in the future.
*/

#ifdef HAVE_X509_check_host
ret_validation= X509_check_host(server_cert, server_hostname, 0, 0, 0) != 1;
#else
subject= X509_get_subject_name(server_cert);
cn_loc= X509_NAME_get_index_by_NID(subject, NID_commonName, -1);
if (cn_loc < 0)
{
*errptr= "Failed to get CN location in the certificate subject";
goto error;
}

cn_entry= X509_NAME_get_entry(subject, cn_loc);
if (cn_entry == NULL)
{
Expand Down Expand Up @@ -1855,7 +1856,7 @@ static int ssl_verify_server_cert(Vio *vio, const char* server_hostname, const c
/* Success */
ret_validation= 0;
}

#endif
*errptr= "SSL certificate validation failure";

error:
Expand Down

0 comments on commit 1b27c25

Please sign in to comment.