LP #1673656: SSL Certificate Subject ALT Names with IPs or DNS: not respected with --ssl-verify-server-cert
General
Escalation
General
Escalation
Description
Environment
None
Smart Checklist
Activity
Show:
Laurynas Biveinis June 5, 2018 at 10:02 AM
Upstream fix announced in 5.6.41, 5.7.23.
lpjirasync January 21, 2018 at 5:36 AM
**Comment from Launchpad by: George Ormond Lorch III on: 15-06-2017 18:53:50
https://github.com/percona/percona-server/pull/1779
https://github.com/percona/percona-server/pull/1780
https://github.com/percona/percona-server/pull/1781
Done
Details
Details
Assignee
Unassigned
UnassignedReporter
lpjirasyncUpstream Bug URL
Priority
HighSmart Checklist
Open Smart Checklist
Smart Checklist
Open Smart Checklist
Created January 21, 2018 at 5:36 AM
Updated December 19, 2023 at 7:37 AM
Resolved January 21, 2018 at 5:36 AM
**Reported in Launchpad by Nickolay Ihalainen last update 18-07-2017 20:49:27
https://github.com/percona/percona-server/blob/5.6/sql-common/client.c#L1894-L1898
X509_VERIFY_PARAM_set1_host or X509_VERIFY_PARAM_add1_host or X509_check_host while checking common name.
Major issue happening with Aurora cluster:
"In order to connect to the cluster endpoint using SSL, your client connection utility must support Subject Alternative Names (SAN). If your client connection utility doesn't support SAN, you can connect directly to the instances in your Aurora DB cluster. For more information on Aurora endpoints, see Aurora Endpoints."
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html
Upstream bug:
https://bugs.mysql.com/bug.php?id=68052