Skip to content

TLS SSL Changes in MariaDB Connector C 3.4

Jump to bottom
Georg Richter edited this page Jul 5, 2024 · 8 revisions

TLS/SSL Changes in Connector/C 3.4 (Draft):

Peer certificate validation

Since version 3.4 peer certificate verification is enabled by default. It can be disabled via mysql_optionsv, using option MYSQL_OPT_SSL_VERIFY_SERVER_CERT:

my_bool verify= 0;
mysql_options(mariadb, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, &verify);

Self signed certificates

If the client obtained a self signed peer certificate from MariaDB server the verification will fail, with the following exceptions:
  • If the connection between client and server is considered to be secure:, e.g.
    • If the authentication plugin version is > 1.0, the authentication plugin supports hashing, password is used and:
      • a unix_socket is used for client server communication
      • hostname is localhost and operating system is Windows
      • hostname is one of the following ip addresses: 127.0.0.1 (IPv4) or ::1 (IPv6)
    • If a fingerprint of the peer certificate was provided (see below)

Fingerprint verification of the peer certificate

A fingerprint is a cryptographic hash (SHA-256, SHA-384 or SHA-512) of the peer certificate's binary data.

Verifying a peer certificate is considered to be secure, if

  • the fingerprint was obtained from a trusted source
  • the fingerprint is securely stored and protected from unauthorized access
  • a strong collision free hash algorithm (SHA-256 or greater) is used.
  • additional validity check (expiration) will be performed.

To get the finger print of the server certificate, you can use openssl or certtool (gnutls) command line clients on the server host:

$ openssl x509 -noout -fingerprint -sha384 -inform pem -in /path/server-cert.pem
sha384 Fingerprint=C1:38:FD:6B:9B:A9:99:5A:E1:EF:08:00:34:A6:08:46:FA:A5:97:05:FD:62:EB:91:C7:BA:B6:73:BF:C6:D5:C2:0D:6A:D7:22:99:8D:8A:DE:C3:9C:5E:C6:5D:96:F6:63

or

certtool --fingerprint --hash=sha384 --infile=/path/server-cert.pem
c138fd6b9ba9995ae1ef080034a60846faa59705fd62eb91c7bab673bfc6d5c20d6ad722998d8adec39c5ec65d96f663

Notes:

For security reasons MD5 and SHA1 fingerprints aren't supported anymore.

Obtaining peer certificate information

Peer certificate information can be obtained via mariadb_get_infov, using option MARIADB_TLS_PEER_CERT_INFO:

MARIADB_X509_INFO *info;
unsigned int hash_size= 384;

mysql_optionsv(mariadb, MARIADB_TLS_PEER_CERT_INFO, &info, hash_size);

The optional hash_size parameter specifies the length of the fingerprint hash in bits: supported values are 256, 384 and 512. If hash_size will be omitted, a default value of 256 will be used.

MariaDB Connector/C Reference

Clone this wiki locally