Bug#892514: libdbd-mysql-perl: 4.046-1 SSL certificate validation failure

Fri Mar 9 21:33:24 UTC 2018

Package: libdbd-mysql-perl
Version: 4.046-1
Severity: normal

Dear Maintainer,

Upon upgrade from 4.041-2+b1 to 4.046-1, I can no longer connect to our
mysql database with SSL. Reverting to 4.041-2+b1 makes the connection
work again.

Here is a test script to reproduce (with database name and hostname set
to example values).
-----------------------------------------------------------------------
#!/usr/bin/perl
use DBI;
my $dsn = 'DBI:mysql:database=exampledb;host=example.com;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem';
my $conn = DBI->connect($dsn, 'foo', 'foo');
-----------------------------------------------------------------------

Outputs from the versions follow, with internal
information replaced with '<cut>'.

On 4.041-2+b1:
-----------------------------------------------------------------------
DBI connect('database=<cut>;host=<cut>;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem','foo',...) failed: Access denied for user 'foo'@'<cut>' (using password: YES) at /tmp/test.pl line 4.
-----------------------------------------------------------------------
(access denied is ok--it got past the SSL part)

On 4.046-1:
-----------------------------------------------------------------------
DBI connect('database=<cut>;host=<cut>;mysql_ssl=1;mysql_ssl_ca_file=/tmp/ca_cert.pem','foo',...) failed: SSL connection error: SSL certificate validation failure at /tmp/test.pl line 4.
-----------------------------------------------------------------------
(this one fails)

I have verified the following:
1. That the old version is indeed using SSL, via wireshark.
2. That both old and new versions are reading /tmp/ca_cert.pem, via
   strace.
3. That the server certificate has not expired, that it contains the
   target servername (as an X509v3 SAN), and that it verifies OK
   against the CA cert, via openssl.

I can imagine two possiblities; either:
a. Version 4.046-1 is more strict about validation and something is
   actually wrong, but I can't tell what.
b. There is a regression in validation in 4.046-1.

Either way, it worked before and does not now, so that seems worth
filing a bug over, to start with.

Thanks for your support,
Corey

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libdbd-mysql-perl depends on:
ii  libc6                         2.27-1
ii  libdbi-perl [perl-dbdabi-94]  1.640-1
ii  libmariadbclient18            1:10.1.29-6
ii  perl                          5.26.1-5
ii  perl-base [perlapi-5.26.1]    5.26.1-5
ii  zlib1g                        1:1.2.8.dfsg-5

libdbd-mysql-perl recommends no packages.

libdbd-mysql-perl suggests no packages.

-- no debconf information