SSL Certificate Subject ALT Names with IPs or DNS: not respected with --ssl-verify-server-cert

Bug #1673656 reported by Nickolay Ihalainen on 2017-03-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
High
Yura Sorokin
5.6
Fix Released
High
Yura Sorokin
5.7
Fix Released
High
Yura Sorokin

Bug Description

https://github.com/percona/percona-server/blob/5.6/sql-common/client.c#L1894-L1898

X509_VERIFY_PARAM_set1_host or X509_VERIFY_PARAM_add1_host or X509_check_host while checking common name.

Major issue happening with Aurora cluster:

"In order to connect to the cluster endpoint using SSL, your client connection utility must support Subject Alternative Names (SAN). If your client connection utility doesn't support SAN, you can connect directly to the instances in your Aurora DB cluster. For more information on Aurora endpoints, see Aurora Endpoints."
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connect.html

Upstream bug:
https://bugs.mysql.com/bug.php?id=68052

This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.