[MDEV-5198] SSL connection inconsistency between Linux and Windows XP - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Incomplete
Affects Version/s: 5.5.33a
Fix Version/s: None
Component/s: None
Labels:
- Client
- SSL
- Windows
Environment:
Linux 3.5.2 and Windows XP

Description

Summery, you can connect to the server from a linux box with the CA public key but not from an XP box using the same Certs.

I generated these certs with TinyCA and exported the client and server certs with both the cert and key in one file. These files end with both.pem. The seperate cert and key files end with cert.pem, and key.pem respectivly.

The Server set up:

mysqld -V
mysqld  Ver 5.5.33a-MariaDB-1~squeeze-log for debian-linux-gnu on i686 (mariadb.org binary distribution)

my.cnf Excerpt:

# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl
ssl-ca=/etc/mysql/ssl/CA-cert.pem
ssl-cert=/etc/mysql/ssl/mysqld.something.else-both.pem

If you verify the keys with openssl they are fine:

openssl verify -CAfile CA-cert.pem client-cert.pem mysqld.something.else-both.pem
client-cert.pem: OK
mysqld.something.else-both.pem: OK

In another bug report you ask for examples of it not working when it passes this test; Here ya go.

On the linux client machine everything just works:

mysql -V
mysql  Ver 15.1 Distrib 5.5.33a-MariaDB, for debian-linux-gnu (i686) using readline 5.1

mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem

mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem

mysql -h eugeneweb.com --ssl-ca=CA-cert.pem

mysql -h eugeneweb.com --ssl-cert=client-both.pem

mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem

All these connections were tested for SSL like so:

MariaDB [(none)]> show status like 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.03 sec)

Windows XP:

Windows does not work as expected, unless you expect it not to work.

mysql -V
MYSQL  Ver 15.1 Distrib 5.5.33a-MariaDB, for Win32 (x86)

mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

mysql -h eugeneweb.com --ssl-ca=CA-cert.pem
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

mysql -h eugeneweb.com --ssl-cert=client-both.pem

Works.

mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem

Works

mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

Thanks for any light you can shed on this.

Clif

Gliffy Diagrams

Attachments

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Elena Stepanova added a comment - 2013-12-02 00:15 - edited

Hi,

I tried to re-create the whole thing as close as possible, including XP, 32 bit, Tinyca and all that, only I have Wheezy instead of Squeeze (don't think it should be important); but I wasn't able to reproduce the problem you describe. Everything connects all right for me:

C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" -V
c:\Program Files\MariaDB 5.5\bin\mysql Ver 15.1 Distrib 5.5.33a-MariaDB, for Win32 (x86)

C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" --ssl-cert=client-cert.pem --ssl-key=client-key2.pem --ssl-ca=CA-cert.pem --host=192.168.100.10 -utest
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 33
Server version: 5.5.33a-MariaDB-1~wheezy mariadb.org binary distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show status like 'ssl_cipher';
---------------------------------+

Variable_name

Value

---------------------------------+

Ssl_cipher

DHE-RSA-AES256-SHA

---------------------------------+
1 row in set (0.02 sec)

However, I can easily get the very same error if I provide a wrong path to the CA file:

C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" --ssl-cert=client-cert.pem --ssl-key=client-key2.pem --ssl-ca=non-existing-ca.pem --host=192.168.100.10 -utest
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

So, as obvious as it sounds, could you please double-check that the file you pass in ssl-ca option indeed exists on the Windows machine, and is not corrupted. If everything is in place and you still get the error, please either provide the exact instructions, step-by-step, on how you create the certs with Tinyca, including the data to fill in the forms (of course if it's private it needs to be obfuscated); or please attach the set of certs that causes the problem (again, with obfuscated data if necessary).

Thanks.

Show

Elena Stepanova added a comment - 2013-12-02 00:15 - edited Hi, I tried to re-create the whole thing as close as possible, including XP, 32 bit, Tinyca and all that, only I have Wheezy instead of Squeeze (don't think it should be important); but I wasn't able to reproduce the problem you describe. Everything connects all right for me: C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" -V c:\Program Files\MariaDB 5.5\bin\mysql Ver 15.1 Distrib 5.5.33a-MariaDB, for Win32 (x86) C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" --ssl-cert=client-cert.pem --ssl-key=client-key2.pem --ssl-ca=CA-cert.pem --host=192.168.100.10 -utest Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 33 Server version: 5.5.33a-MariaDB-1~wheezy mariadb.org binary distribution Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)] > show status like 'ssl_cipher'; -------------- -------------------+ Variable_name Value -------------- -------------------+ Ssl_cipher DHE-RSA-AES256-SHA -------------- -------------------+ 1 row in set (0.02 sec) However, I can easily get the very same error if I provide a wrong path to the CA file: C:_Home\tmp>"c:\Program Files\MariaDB 5.5\bin\mysql" --ssl-cert=client-cert.pem --ssl-key=client-key2.pem --ssl-ca=non-existing-ca.pem --host=192.168.100.10 -utest ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation So, as obvious as it sounds, could you please double-check that the file you pass in ssl-ca option indeed exists on the Windows machine, and is not corrupted. If everything is in place and you still get the error, please either provide the exact instructions, step-by-step, on how you create the certs with Tinyca, including the data to fill in the forms (of course if it's private it needs to be obfuscated); or please attach the set of certs that causes the problem (again, with obfuscated data if necessary). Thanks.

Hide

Permalink

Elena Stepanova added a comment - 2014-01-08 15:53

Closing for now as incomplete, if you have more information to reply to the previous comment, please do so, and we will re-open the report.

Show

Elena Stepanova added a comment - 2014-01-08 15:53 Closing for now as incomplete, if you have more information to reply to the previous comment, please do so, and we will re-open the report.

SSL connection inconsistency between Linux and Windows XP

Details

Description

Gliffy Diagrams

Attachments

Activity

People

Dates

Agile