Skip to content

(Known Issue) SQLx fails to connect to MariaDB 11.4.0 and 11.4.1 when using server self-signed certificates #3091

New issue
New issue
Closed
#3266
Closed
(Known Issue) SQLx fails to connect to MariaDB 11.4.0 and 11.4.1 when using server self-signed certificates#3091
#3266
Labels
bugbug:dbInvolves a bug in the database serverdb:mysqlRelated to MySQL
@abonander

Description

@abonander
abonander
opened on Mar 5, 2024

When MariaDB is generating a self-signed certificate (new in 11.4.0), it neglects to set the x509 version, so it defaults to v1, which is not accepted by RusTLS and can lead to connection failure: https://github.com/launchbadge/sqlx/actions/runs/8149156874/job/22273413421#step:9:354

This affects clients even when not using MySqlSslMode::VerifyCa or ::VerifyIdentity because RusTLS rejects the certificate while parsing it.

The new server authentication flow involving auth plugins will likely need its own support, but assuming it doesn't change the handshake in a backwards-incompatible way, it should presumably still work with MySqlSslMode::Preferred or ::Required.

As a temporary workaround, users should switch to or continue using existing pre-signed certificates, or switch to the tls-native-tls feature instead. When generating certificates, be sure the x509 version is set to 3 so RusTLS can accept them.

Reported upstream as: https://jira.mariadb.org/browse/MDEV-33592

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugbug:dbInvolves a bug in the database serverdb:mysqlRelated to MySQL

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions