Package: libdbd-mysql-perl Version: 4.046-1 Severity: normal Dear Maintainer,
Upon upgrade from 4.041-2+b1 to 4.046-1, I can no longer connect to our mysql database with SSL. Reverting to 4.041-2+b1 makes the connection work again. Here is a test script to reproduce (with database name and hostname set to example values). ----------------------------------------------------------------------- #!/usr/bin/perl use DBI; my $dsn = 'DBI:mysql:database=exampledb;host=example.com;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem'; my $conn = DBI->connect($dsn, 'foo', 'foo'); ----------------------------------------------------------------------- Outputs from the versions follow, with internal information replaced with '<cut>'. On 4.041-2+b1: ----------------------------------------------------------------------- DBI connect('database=<cut>;host=<cut>;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem','foo',...) failed: Access denied for user 'foo'@'<cut>' (using password: YES) at /tmp/test.pl line 4. ----------------------------------------------------------------------- (access denied is ok--it got past the SSL part) On 4.046-1: ----------------------------------------------------------------------- DBI connect('database=<cut>;host=<cut>;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem','foo',...) failed: SSL connection error: SSL certificate validation failure at /tmp/test.pl line 4. ----------------------------------------------------------------------- (this one fails) I have verified the following: 1. That the old version is indeed using SSL, via wireshark. 2. That both old and new versions are reading /tmp/ca_cert.pem, via strace. 3. That the server certificate has not expired, that it contains the target servername (as an X509v3 SAN), and that it verifies OK against the CA cert, via openssl. I can imagine two possiblities; either: a. Version 4.046-1 is more strict about validation and something is actually wrong, but I can't tell what. b. There is a regression in validation in 4.046-1. Either way, it worked before and does not now, so that seems worth filing a bug over, to start with. Thanks for your support, Corey -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libdbd-mysql-perl depends on: ii libc6 2.27-1 ii libdbi-perl [perl-dbdabi-94] 1.640-1 ii libmariadbclient18 1:10.1.29-6 ii perl 5.26.1-5 ii perl-base [perlapi-5.26.1] 5.26.1-5 ii zlib1g 1:1.2.8.dfsg-5 libdbd-mysql-perl recommends no packages. libdbd-mysql-perl suggests no packages. -- no debconf information