Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A wrong client certificate can connect to TiDB Server with TLS enabled using mariadb-client #1909

Closed
weekface opened this issue Mar 11, 2020 · 3 comments
Closed

A wrong client certificate can connect to TiDB Server with TLS enabled using mariadb-client #1909

weekface opened this issue Mar 11, 2020 · 3 comments
Labels
lifecycle/stale

Comments

@weekface
Copy link
Contributor

weekface commented Mar 11, 2020
edited
Loading

Bug Report

I followed Enable TLS for MySQL Clients to crate a TiDB Cluster.

And then i use a wrong(not signed by the CA that signed the Server Certificate) Client Certificate to connect to TiDB Server.

With mysql 5.7, i can't connect to TiDB Server, this is as expected:

root@mysql-client:/# mysql --version
mysql  Ver 14.14 Distrib 5.7.29, for Linux (x86_64) using  EditLine wrapper
root@mysql-client:/# mysql -uroot -p -P 4000 -h 10.110.197.127 --ssl-ca=/ca.pem --ssl-cert=/client.pem --ssl-key=/client-key.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

But with mariadb-client, i can connect to the TiDB Server:

root@cjc-control-plane:/# mysql -uroot -p -P 4000 -h 10.102.188.170 --ssl-ca=/ca.pem --ssl-cert=/client.pem --ssl-key=/client-key.pem
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.25-TiDB-v4.0.0-beta-385-g107b071e0 TiDB Server (Apache License 2.0), MySQL 5.7 compatible

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> \s
--------------
mysql  Ver 15.1 Distrib 10.3.22-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2

Connection id:		2
Current database:
Current user:		root@10.244.0.1
SSL:			Cipher in use is ECDHE-RSA-AES256-GCM-SHA384
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server:			MySQL
Server version:		5.7.25-TiDB-v4.0.0-beta-385-g107b071e0 TiDB Server (Apache License 2.0), MySQL 5.7 compatible
Protocol version:	10
Connection:		10.102.188.170 via TCP/IP
Server characterset:	utf8mb4
Db     characterset:	utf8mb4
Client characterset:	utf8mb4
Conn.  characterset:	utf8mb4
TCP port:		4000
--------------

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| INFORMATION_SCHEMA |
| INSPECTION_SCHEMA  |
| METRICS_SCHEMA     |
| PERFORMANCE_SCHEMA |
| mysql              |
| test               |
+--------------------+
6 rows in set (0.011 sec)```
@weekface weekface changed the title A wrong client certificate can connect to TiDB Server with TLS enabled A wrong client certificate can connect to TiDB Server with TLS enabled using mariadb-client Mar 11, 2020
@weekface weekface mentioned this issue Mar 11, 2020
Closed
52 tasks
@gregwebs
Copy link
Contributor

Is the connection being made using TLS?

@weekface
Copy link
Contributor Author

@gregwebs Yes, the \s command shows that the connection is still using TLS. I have updated the description.

@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gregwebs @weekface