<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <font face="Lato">Aside from these two things they have really, I
      mean really a lot, issues in open state regarding ssl...<br>
      Which maybe speaks for a more generous alternativ anyways<br>
    </font><br>
    <div class="moz-cite-prefix">On 18/04/2019 12:25, TG Servers wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:73c6187b-fc62-8c4d-d51f-d315c96a1318@prvtmail.net">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <font face="Lato">Kostya,<br>
        <br>
        they have already a bug open on this as I saw now </font><br>
      <font face="Lato"><a
          href="https://jira.mariadb.org/browse/MDEV-18131"
          moz-do-not-send="true">https://jira.mariadb.org/browse/MDEV-18131</a><br>
        and I also filed a bug on the TLS cipher string issue from
        yesterday.<br>
        Depending on when this will be resolved I will have to consider
        alternatives anyway, yes<br>
        <br>
        Thanks for the hints!<br>
        <br>
        -- T</font><br>
      <br>
      <div class="moz-cite-prefix">On 18/04/2019 12:15, Kostya Vasilyev
        via dovecot wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:fad4ed08-6b86-4ee9-a94e-4bd566916e03@www.fastmail.com">
        <meta http-equiv="content-type" content="text/html;
          charset=UTF-8">
        <title></title>
        <style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
        <div>Have you considered any alternatives?<br>
        </div>
        <div><br>
        </div>
        <div>I'm thinking of IPSec to create a secured network
          encapsulation channel(s) "above" the TCP connection(s).<br>
        </div>
        <div><br>
        </div>
        <div>This would provide encryption with control over cipher(s),
          and cert validation on both sides (if you used cert auth, not
          PSK).<br>
        </div>
        <div><br>
        </div>
        <div>-- K<br>
        </div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>On Thu, Apr 18, 2019, at 12:15 PM, TG Servers via dovecot
          wrote:<br>
        </div>
        <blockquote id="qt" type="cite">
          <div><span style="font-family:Lato" class="font">Ok then it
              seems again a MariaDB issue, they don't check against IP
              in the SAN it seems, this has nothing to do with ssl_ca
              setting it seems<br>
              <br>
              host=<ip> port=<port> dbname=<db>
              user=<user> ssl_verify_server_cert=yes
              ssl_cipher=TLSv1.2 ssl_ca=/etc/ssl/certs/ca-bundle.crt
              password=<pwd><br>
              brings up this<br>
              <i>Connect failed to database (vmail): SSL connection
                error: SSL certificate validation failure </i><br>
              <br>
            </span><span style="font-family:Lato" class="font"><span
                style="font-family:Lato" class="font">host=<host>
                port=<port> dbname=<db> user=<user>
                ssl_verify_server_cert=no ssl_cipher=TLSv1.2
                ssl_ca=/etc/ssl/certs/ca-bundle.crt password=<pwd>
                is working<br>
                <br>
                contents from my.cnf :<br>
                ssl_cert="/etc/ssl/certs/mysql.pem"<br>
                ssl_key="/etc/ssl/certs/mysql.key"<br>
                ssl_ca="/etc/ssl/certs/ca-bundle.crt"<br>
                ssl_cipher="TLSv1.2"<br>
                <br>
                and from command line <br>
                mysql --ssl --ssl-verify-server-cert --host <ip>
                brings up<br>
                ERROR 2026 (HY000): SSL connection error: Validation of
                SSL server certificate failed<br>
                while<br>
                mysql --ssl --ss-verify-server-cert --host
                <hostname> works<br>
                <br>
                TLS isn't really the domain of MariaDB, they have really
                a lot of crap going on there, a lot of, sadly...</span></span></div>
          <div><span style="font-family:Lato" class="font"><span
                style="font-family:Lato" class="font"><br>
                <br>
                Thanks</span></span></div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div class="qt-moz-cite-prefix">On 18/04/2019 10:52, Aki Tuomi
            via dovecot wrote:<br>
          </div>
          <blockquote type="cite"
cite="mid:691823770.1474.1555577520240@appsuite-dev-gw2.open-xchange.com">
            <blockquote type="cite">
              <pre class="qt-moz-quote-pre" wrap="">On 18 April 2019 11:34 TG Servers via dovecot <a class="qt-moz-txt-link-rfc2396E" href="mailto:dovecot@dovecot.org" moz-do-not-send="true"><dovecot@dovecot.org></a> wrote:


Hi,
 
 when using ssl_verify_server_cert in mysql connection string, is the cert verified also against SAN (DNS and IP)?
 Because this doesn't seem to work. I get a certification verification error in handshake when connecting via IP. 
 But the cert is good as the connection via IP (and IP in the SAN of the cert) works from other applications verifying.
 
 Thanks.


</pre>
            </blockquote>
            <pre class="qt-moz-quote-pre" wrap="">Dovecot does consider SAN names too, but for MySQL driver, we use MYSQL_OPT_SSL_VERIFY_SERVER_CERT setting. Then you need to use ssl_ca or ssl_ca_path in the mysql driver config file to point to acceptable CAs.

Aki

</pre>
          </blockquote>
        </blockquote>
        <div><br>
        </div>
      </blockquote>
      <br>
    </blockquote>
    <br>
  </body>
</html>