MDEV-38248 Add MTR to verify TLS with chain of trust #4467
Conversation
tonychen2001
force-pushed
the
cachain-mtr
branch
4 times, most recently
from
f386dfe to
e0fe5d6
Compare
|
You exclude your test from Windows . Can you explain why? I think certificate chains have to work also with schannel, and also on Windows. |
tonychen2001
force-pushed
the
cachain-mtr
branch
2 times, most recently
from
e240acc to
a1210e6
Compare
I see. Then this is probably a false assumption I made. I had handled the different error messages due to different TLS library versions. But on Windows, the MTR was failing with a different signature. It seems like the server just won't start up. Then I noticed other SSL related tests were being skipped on Windows. E.g: I don't have convenient access to a Windows environment and the error message isn't very helpful here. How can I debug this? I updated the test to not skip Windows and now the error message is: |
"Needs OpenSSL" is not the same as "Need not Windows".
Ok , you build on Linux with -DWITH_SSL=bundled passed to cmake, and run the test under debugger. That will build with WolfSSL. |
gkodinov
added
the
External Contribution
gkodinov
changed the title
Understood. I tried including
I'm building from source and I haven't passed in any particular compiler flag regarding SSL. When I checked my build, I do see that it's built with OpenSSL by checking My OS: Build configuration I'm using: |
|
You do not need to pass any compiler flags to the build. You need to pass a cmake flag I mentioned. In order to reproduce the error in your comfortable Linux setting, this is what you asked about originally, right? In this case I'd say, let try reproduce error in your convenient dev. environment, then figure out what to do. We unfortunately have 4 different libraries that do SSL, it is either openssl or WolfSSL on server, and either OpenSSL or GnuTLS, or Schannel on client. It is different from MySQL, but this is how it is, and we need to know which combinations work, and which do not work, and maybe report errors to the library authors if something does not work, |
vuvova
changed the title
|
I've played with it a bit. FWIW, wolfSSL's SSL_CTX_use_certificate_chain_file() fails to process server.cachain from the .opt file and returns an error. |
tonychen2001
force-pushed
the
cachain-mtr
branch
2 times, most recently
from
85122d4 to
7e4c24e
Compare
gkodinov
left a comment
gkodinov
left a comment
There was a problem hiding this comment.
Thank you for picking up the fact that serial 0 is a non-valid serial for wolfSSL and a valid one for openssl.
Maybe consider enabling -DWOLFSSL_ASN_ALLOW_0_SERIAL in extra/wolfssl/CMakeLists.txt to achieve better compatibility with openSSL (that seems to be perfectly happy with serial id 0) ?
| CREATE USER 'user1'@'%' REQUIRE SSL; | ||
|
|
||
| # --replace_result TLSv1.3 TLS TLSv1.2 TLS | ||
| # --exec $MYSQL --host=localhost -P $MASTER_MYPORT --user=user1 --ssl-verify-server-cert --ssl-ca=$MYSQL_TEST_DIR/std_data/cachain/root.crt --ssl-cert=$MYSQL_TEST_DIR/std_data/cachain/client.cachain --ssl-key=$MYSQL_TEST_DIR/std_data/cachain/client.key -e "SHOW STATUS LIKE 'ssl_version'" |
There was a problem hiding this comment.
any specific reason why you have disabled this test?
There was a problem hiding this comment.
This was just for testing. It should be enabled.
For an update, there were 2 issues,
- As you mentioned above, WolfSSL does not allow the certificate serial number to be 0. This conforms to RFC 5820 Section 4.1.2.2.
Fixing this allowed the server to start up with the given server certificates.
- Client certificate validation was failing because the intermediate CAs are missing the extension
keyUsage = keyCertSign. Another case where OpenSSL has more relaxed checks but WolfSSL conforms to RFC 5820 Section 4.2.1.3 which requires keyCertSign usage to be enabled for intermediate CAs.
After fixing the above, the test passes when building with -DWITH_SSL=bundled.
Though it still fails on the Windows build. I assume schannel has it's own differences. Although unlike before, the server does start up but it's now failing when the client is making a secure connection.
There was a problem hiding this comment.
I've got the same on my local box: it's working both with openSSL and wolfSSL. I'll give the windows failure a try today and report back on my findings.
There was a problem hiding this comment.
FWIW, the schannel code only reads a single certificate (see https://github.com/mariadb-corporation/mariadb-connector-c/blob/46880b003653a000e9588bd73c8b1dd65088c686/libmariadb/secure/schannel_certs.c#L807).
This needs mending.
Probably something along the lines of https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certaddencodedcertificatetostore once https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptqueryobject succeeds and the store is created by it.
There was a problem hiding this comment.
then, of course, there's the GnuTLS to mend.
tonychen2001
force-pushed
the
cachain-mtr
branch
from
7e4c24e to
1077d81
Compare
Add tests to verify that TLS configurations with certificate chain of trust are supported. The contents of the commit are inspired from the MySQL project: mysql/mysql-server@969afef Credits to [email protected] All new code of the whole pull request, including one or several files that are either new files or modified ones, are contributed under the BSD-new license. I am contributing on behalf of my employer Amazon Web Services, Inc.
tonychen2001
force-pushed
the
cachain-mtr
branch
from
1077d81 to
e53a4d6
Compare
3 participants
Description
Adding a test to explicitly verify that TLS connections support certificate chain of trust.
The contents of the commit are largely taken from the MySQL project: mysql/mysql-server@969afef
Credits to [email protected]
PR quality check
Copyright
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the
BSD-new license. I am contributing on behalf of my employer Amazon Web
Services, Inc.