Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Known Issue) SQLx fails to connect to MariaDB 11.4.0 and 11.4.1 when using server self-signed certificates #3091

Closed
abonander opened this issue Mar 5, 2024 · 0 comments · Fixed by #3266
Closed

(Known Issue) SQLx fails to connect to MariaDB 11.4.0 and 11.4.1 when using server self-signed certificates #3091

abonander opened this issue Mar 5, 2024 · 0 comments · Fixed by #3266
Labels
bug:db Involves a bug in the database server bug db:mysql Related to MySQL

Comments

@abonander
Copy link
Collaborator

When MariaDB is generating a self-signed certificate (new in 11.4.0), it neglects to set the x509 version, so it defaults to v1, which is not accepted by RusTLS and can lead to connection failure: https://github.com/launchbadge/sqlx/actions/runs/8149156874/job/22273413421#step:9:354

This affects clients even when not using MySqlSslMode::VerifyCa or ::VerifyIdentity because RusTLS rejects the certificate while parsing it.

The new server authentication flow involving auth plugins will likely need its own support, but assuming it doesn't change the handshake in a backwards-incompatible way, it should presumably still work with MySqlSslMode::Preferred or ::Required.

As a temporary workaround, users should switch to or continue using existing pre-signed certificates, or switch to the tls-native-tls feature instead. When generating certificates, be sure the x509 version is set to 3 so RusTLS can accept them.

Reported upstream as: https://jira.mariadb.org/browse/MDEV-33592
@abonander abonander added bug:db Involves a bug in the database server bug db:mysql Related to MySQL labels Mar 5, 2024
abonander added a commit that referenced this issue Mar 5, 2024
@abonander
fix(ci): disable mariadb_verylatest pass for RusTLS
820e95e 
see: #3091
abonander added a commit that referenced this issue Mar 5, 2024
@abonander
fix(ci): disable mariadb_verylatest pass for RusTLS
7cced0f 
see: #3091
abonander added a commit that referenced this issue Mar 5, 2024
@abonander
fix(ci): disable mariadb_verylatest pass for RusTLS
c78425b 
see: #3091
@grooverdan grooverdan mentioned this issue Jun 6, 2024
Merged
@abonander abonander mentioned this issue Aug 2, 2024
Merged
@fitzthum fitzthum mentioned this issue Aug 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug:db Involves a bug in the database server bug db:mysql Related to MySQL
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ci: MariaDB - add back 11.4 and add 11.5 grooverdan/sqlx
1 participant
@abonander