diff --git a/documentation/ssl.md b/documentation/ssl.md index a19df79a..bd52b84c 100644 --- a/documentation/ssl.md +++ b/documentation/ssl.md @@ -140,12 +140,12 @@ Example: }); ``` -See [possible protocol] (https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS) values. +See [possible protocol](https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS) values. ## Two-way SSL authentication -Mutual SSL authentication or certificate based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity. +Mutual SSL authentication or certificate based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the other's identity. To enable mutual authentication, the user must be created with `REQUIRE X509` so the server asks the driver for client certificates. **If the user is not set with `REQUIRE X509`, only one way authentication will be done** @@ -153,7 +153,8 @@ To enable mutual authentication, the user must be created with `REQUIRE X509` so The client (driver) must then have its own certificate too (and related private key). If the driver doesn't provide a certificate, and the user used to connect is defined with `REQUIRE X509`, the server will then return a basic "Access denied for user". -Check how the user is defined with `select SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT FROM mysql.user u where u.User = 'myUser'`. + +It may be interesting to check how the user is defined with `select SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT FROM mysql.user u where u.User = 'myUser'`because server might required some verification. Example: ```sql @@ -218,6 +219,14 @@ Generating an encrypted keystore in PKCS12 format : }); ``` +## F.A.Q. +#### error Hostname/IP doesn't match certificate's altnames +Client will verify certificate SAN (subject alternatives names) and CN to ensure certificate correspond to the hostname. +If certificate's SAN /CN does not correspond to the `host` option, you will have an error like : +``` +Hostname/IP doesn't match certificate's altnames: "Host: other.example.com. is not cert's CN: mariadb.example.com" +``` +solution : correct `host` value to correspond certificate diff --git a/test/integration/test-ssl.js b/test/integration/test-ssl.js index 74133d71..6c339392 100644 --- a/test/integration/test-ssl.js +++ b/test/integration/test-ssl.js @@ -351,9 +351,9 @@ describe("ssl", function() { if (!ca) this.skip(); const clientKeyFileName = - process.env.TEST_SSL_CLIENT_KEY_FILE || __dirname + "/../certificats/client.key"; + process.env.TEST_SSL_CLIENT_KEY_FILE || (__dirname + "/../certificats/client.key"); const clientCertFileName = - process.env.TEST_SSL_CLIENT_CERT_FILE || __dirname + "/../certificats/client.crt"; + process.env.TEST_SSL_CLIENT_CERT_FILE || (__dirname + "/../certificats/client.crt"); const clientKey = [fs.readFileSync(clientKeyFileName, "utf8")]; const clientCert = [fs.readFileSync(clientCertFileName, "utf8")]; @@ -384,7 +384,7 @@ describe("ssl", function() { const clientKeystoreFileName = process.env.TEST_SSL_CLIENT_KEYSTORE_FILE || - __dirname + "/../certificats/client-keystore.p12"; + (__dirname + "/../certificats/client-keystore.p12"); console.log(clientKeystoreFileName); const clientKeystore = fs.readFileSync(clientKeystoreFileName); console.log(clientKeystore);