Percona Server moved to https://jira.percona.com/projects/PS

SSL Certificate Subject ALT Names with IPs or DNS: not respected with --ssl-verify-server-cert

Bug #1673656 reported by Nickolay Ihalainen on 2017-03-17

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
MySQL Server	Unknown	Unknown	mysql-bugs #68052
Percona Server moved to https://jira.percona.com/projects/PS	Status tracked in 5.7
5.5	Fix Released	High	Yura Sorokin	Percona Server moved to https://jira.percona.com/projects/PS 5.5.57-38.9
5.6	Fix Released	High	Yura Sorokin	Percona Server moved to https://jira.percona.com/projects/PS 5.6.36-82.1
5.7	Fix Released	High	Yura Sorokin	Percona Server moved to https://jira.percona.com/projects/PS 5.7.18-16

Bug Description

https://github.com/percona/percona-server/blob/5.6/sql-common/client.c#L1894-L1898

X509_VERIFY_PARAM_set1_host or X509_VERIFY_PARAM_add1_host or X509_check_host while checking common name.

Major issue happening with Aurora cluster:

"In order to connect to the cluster endpoint using SSL, your client connection utility must support Subject Alternative Names (SAN). If your client connection utility doesn't support SAN, you can connect directly to the instances in your Aurora DB cluster. For more information on Aurora endpoints, see Aurora Endpoints."
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html

Upstream bug:
https://bugs.mysql.com/bug.php?id=68052

Tags: