Package: libdbd-mysql-perl
Version: 4.046-1
Severity: normal
Dear Maintainer,
Upon upgrade from 4.041-2+b1 to 4.046-1, I can no longer connect to our
mysql database with SSL. Reverting to 4.041-2+b1 makes the connection
work again.
Here is a test script to reproduce (with database name and hostname set
to example values).
-----------------------------------------------------------------------
#!/usr/bin/perl
use DBI;
my $dsn =
'DBI:mysql:database=exampledb;host=example.com;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem';
my $conn = DBI->connect($dsn, 'foo', 'foo');
-----------------------------------------------------------------------
Outputs from the versions follow, with internal
information replaced with '<cut>'.
On 4.041-2+b1:
-----------------------------------------------------------------------
DBI
connect('database=<cut>;host=<cut>;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem','foo',...)
failed: Access denied for user 'foo'@'<cut>' (using password: YES) at
/tmp/test.pl line 4.
-----------------------------------------------------------------------
(access denied is ok--it got past the SSL part)
On 4.046-1:
-----------------------------------------------------------------------
DBI
connect('database=<cut>;host=<cut>;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem','foo',...)
failed: SSL connection error: SSL certificate validation failure at
/tmp/test.pl line 4.
-----------------------------------------------------------------------
(this one fails)
I have verified the following:
1. That the old version is indeed using SSL, via wireshark.
2. That both old and new versions are reading /tmp/ca_cert.pem, via
strace.
3. That the server certificate has not expired, that it contains the
target servername (as an X509v3 SAN), and that it verifies OK
against the CA cert, via openssl.
I can imagine two possiblities; either:
a. Version 4.046-1 is more strict about validation and something is
actually wrong, but I can't tell what.
b. There is a regression in validation in 4.046-1.
Either way, it worked before and does not now, so that seems worth
filing a bug over, to start with.
Thanks for your support,
Corey
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libdbd-mysql-perl depends on:
ii libc6 2.27-1
ii libdbi-perl [perl-dbdabi-94] 1.640-1
ii libmariadbclient18 1:10.1.29-6
ii perl 5.26.1-5
ii perl-base [perlapi-5.26.1] 5.26.1-5
ii zlib1g 1:1.2.8.dfsg-5
libdbd-mysql-perl recommends no packages.
libdbd-mysql-perl suggests no packages.
-- no debconf information
