diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2015-04-25 17:22:46 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2015-04-27 15:42:12 +0200 |
| commit | 18215dd9fa784d12dfb1122d58be85823b6f2b5e (patch) | |
| tree | e40b19cdbeb4988d51c40b45f9ae689c6fae45ee /mysql-test/lib | |
| parent | 9fd65db329b7186faeab79e23ae3be356973fb4d (diff) | |
| download | mariadb-git-18215dd9fa784d12dfb1122d58be85823b6f2b5e.tar.gz | |
MDEV-7859 SSL hostname verification fails for long subject names
Don't use a fixed buffer for X509_NAME_oneline() in the client.
Do as the server does - allocate it dynamically.
For a test - regenerate certificates to have the server cert with
a long subject.
Diffstat (limited to 'mysql-test/lib')
| -rwxr-xr-x | mysql-test/lib/generate-ssl-certs.sh | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/mysql-test/lib/generate-ssl-certs.sh b/mysql-test/lib/generate-ssl-certs.sh index 0ca9bcd41b8..5dca21a755d 100755 --- a/mysql-test/lib/generate-ssl-certs.sh +++ b/mysql-test/lib/generate-ssl-certs.sh @@ -10,22 +10,21 @@ touch demoCA/index.txt echo 01 > demoCA/serial # CA certificate, self-signed -openssl req -x509 -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out cacert.pem -days 7300 -nodes -subj '/C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB' -text +openssl req -x509 -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out cacert.pem -days 7300 -nodes -subj '/CN=cacert/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' -text -# server certificate signing request and private key -openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/C=SE/ST=Uppsala/O=MySQL AB/CN=localhost' +# server certificate signing request and private key. Note the very long subject (for MDEV-7859) +openssl req -newkey rsa:1024 -keyout server-key.pem -out demoCA/server-req.pem -days 7300 -nodes -subj '/CN=localhost/C=FI/ST=state or province within country, in other certificates in this file it is the same as L/L=location, usually an address but often ambiguously used/OU=organizational unit name, a division name within an organization/O=organization name, typically a company name' # convert the key to yassl compatible format openssl rsa -in server-key.pem -out server-key.pem # sign the server certificate with CA certificate openssl ca -days 7300 -batch -cert cacert.pem -policy policy_anything -out server-cert.pem -infiles demoCA/server-req.pem -openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/C=SE/ST=Uppsala/O=MySQL AB/CN=server' +openssl req -newkey rsa:8192 -keyout server8k-key.pem -out demoCA/server8k-req.pem -days 7300 -nodes -subj '/CN=server8k/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' openssl rsa -in server8k-key.pem -out server8k-key.pem openssl ca -days 7300 -batch -cert cacert.pem -policy policy_anything -out server8k-cert.pem -infiles demoCA/server8k-req.pem -openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/C=SE/ST=Uppsala/O=MySQL AB' +openssl req -newkey rsa:1024 -keyout client-key.pem -out demoCA/client-req.pem -days 7300 -nodes -subj '/CN=client/C=FI/ST=Helsinki/L=Helsinki/O=MariaDB' openssl rsa -in client-key.pem -out client-key.pem -# if the folloing will require a common name - that's defined in /etc/ssl/openssl.cnf, under policy_anything openssl ca -days 7300 -batch -cert cacert.pem -policy policy_anything -out client-cert.pem -infiles demoCA/client-req.pem rm -rf demoCA |