dovecot - Apr 2019 - ssl_verify_server_cert against SAN?

<html>
  <head>

    <meta http-equiv="content-type" content="text/html;
charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <font face="Lato">Hi,<br>
      <br>
      when using ssl_verify_server_cert in mysql connection string, is
      the cert verified also against SAN (DNS and IP)?<br>
      Because this doesn't seem to work. I get a certification
      verification error in handshake when connecting via IP. <br>
      But the cert is good as the connection via IP (and IP in the SAN
      of the cert) works from other applications verifying.<br>
      <br>
      Thanks.<br>
    </font>
  </body>
</html>

> On 18 April 2019 11:34 TG Servers via dovecot <dovecot at
dovecot.org> wrote:
> 
> 
> Hi,
>  
>  when using ssl_verify_server_cert in mysql connection string, is the cert
verified also against SAN (DNS and IP)?
>  Because this doesn't seem to work. I get a certification verification
error in handshake when connecting via IP.
>  But the cert is good as the connection via IP (and IP in the SAN of the
cert) works from other applications verifying.
>  
>  Thanks.
>
Dovecot does consider SAN names too, but for MySQL driver, we use
MYSQL_OPT_SSL_VERIFY_SERVER_CERT setting. Then you need to use ssl_ca or
ssl_ca_path in the mysql driver config file to point to acceptable CAs.

Aki

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <font face="Lato">Ok then it seems again a MariaDB issue,
they don't
      check against IP in the SAN it seems, this has nothing to do with
      ssl_ca setting it seems<br>
      <br>
      host=<ip> port=<port> dbname=<db>
      user=<user> ssl_verify_server_cert=yes ssl_cipher=TLSv1.2
      ssl_ca=/etc/ssl/certs/ca-bundle.crt password=<pwd><br>
      brings up this<br>
      <i>Connect failed to database (vmail): SSL connection error: SSL
        certificate validation failure </i><br>
      <br>
    </font><font face="Lato"><font
face="Lato">host=<host>
        port=<port> dbname=<db> user=<user>
        ssl_verify_server_cert=no ssl_cipher=TLSv1.2
        ssl_ca=/etc/ssl/certs/ca-bundle.crt password=<pwd> is
        working<br>
        <br>
        contents from my.cnf :<br>
        ssl_cert="/etc/ssl/certs/mysql.pem"<br>
        ssl_key="/etc/ssl/certs/mysql.key"<br>
        ssl_ca="/etc/ssl/certs/ca-bundle.crt"<br>
        ssl_cipher="TLSv1.2"<br>
        <br>
        and from command line <br>
        mysql --ssl --ssl-verify-server-cert --host <ip> brings
up<br>
        ERROR 2026 (HY000): SSL connection error: Validation of SSL
        server certificate failed<br>
        while<br>
        mysql --ssl --ss-verify-server-cert --host <hostname>
        works<br>
        <br>
        TLS isn't really the domain of MariaDB, they have really a lot
        of crap going on there, a lot of, sadly...<br>
        <br>
        Thanks</font></font><br>
    <br>
    <div class="moz-cite-prefix">On 18/04/2019 10:52, Aki Tuomi
via
      dovecot wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:691823770.1474.1555577520240@appsuite-dev-gw2.open-xchange.com">
      <pre class="moz-quote-pre" wrap="">
</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">On 18 April
2019 11:34 TG Servers via dovecot <a class="moz-txt-link-rfc2396E"
href="mailto:dovecot@dovecot.org"><dovecot@dovecot.org></a>
wrote:


Hi,
 
 when using ssl_verify_server_cert in mysql connection string, is the cert
verified also against SAN (DNS and IP)?
 Because this doesn't seem to work. I get a certification verification error
in handshake when connecting via IP.
 But the cert is good as the connection via IP (and IP in the SAN of the cert)
works from other applications verifying.
 
 Thanks.

</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
Dovecot does consider SAN names too, but for MySQL driver, we use
MYSQL_OPT_SSL_VERIFY_SERVER_CERT setting. Then you need to use ssl_ca or
ssl_ca_path in the mysql driver config file to point to acceptable CAs.

Aki
</pre>
    </blockquote>
    <br>
  </body>
</html>