Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TiDB Server does not verify the validity period of the client certificate? #15229

Closed
weekface opened this issue Mar 9, 2020 · 2 comments
Closed

TiDB Server does not verify the validity period of the client certificate? #15229

weekface opened this issue Mar 9, 2020 · 2 comments
Assignees
@lysu
Labels
security Everything related with security

Comments

@weekface
Copy link
Contributor

weekface commented Mar 9, 2020
edited
Loading

Bug Report

Please answer these questions before submitting your issue. Thanks!

  1. What did you do?

I create the client certificate following this guild: https://pingcap.com/docs/stable/how-to/secure/enable-tls-clients.

I waited until the certificate expired. Then use mariadb-client to connect to TiDB Server.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:bc:68:3f:2c:94:e7:ae:1a:e1:e6:26:3f:20:ab:9c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = PingCAP, CN = TiDB Client
        Validity
            Not Before: Mar  9 08:35:45 2020 GMT
            Not After : Mar  9 08:45:45 2020 GMT
        Subject: O = PingCAP, CN = TiDB Client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ed:f4:12:66:e6:da:7c:38:de:df:31:9f:41:0d:
                    ed:a0:d7:ec:a0:a4:c5:20:7b:fe:b6:26:35:b7:e0:
                    71:61:8e:bc:66:ba:38:99:4a:1a:93:f1:73:56:e3:
                    7a:a0:b7:f7:40:1f:2b:7a:1d:66:46:a3:69:e8:ed:
                    94:4c:e3:bd:8d:60:2a:d6:36:73:f5:47:e9:64:6a:
                    32:ae:96:c6:2a:83:2f:2e:21:fe:65:8e:62:34:c1:
                    5b:6f:69:5a:69:30:fc:09:79:dd:f4:e3:66:f3:b1:
                    cb:a4:44:d7:c3:01:36:a0:ef:04:a7:76:ac:18:62:
                    d3:33:c7:45:30:2a:ea:6d:f1:84:0e:2c:bf:be:c7:
                    a7:d6:b5:c2:3a:3b:ee:4e:f7:b6:d5:02:84:9a:41:
                    b2:56:b1:d9:70:7e:98:19:74:b0:47:8b:be:86:d4:
                    d8:20:cd:30:0f:ca:a7:33:f6:01:42:b0:95:7a:00:
                    2f:a0:70:ad:24:5b:79:0f:ff:8c:ea:42:81:ff:b3:
                    5b:6c:23:50:41:e7:99:5a:87:23:93:3e:29:b2:df:
                    3a:e6:92:1f:3b:77:65:88:77:83:75:b3:ff:3d:8f:
                    7e:81:10:7f:16:5c:f7:4b:bc:ff:12:d3:89:7b:4b:
                    2a:f3:7a:28:19:3b:63:68:a1:e7:de:ff:43:25:12:
                    90:67
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         70:8d:00:3c:f0:45:50:d1:0b:20:e8:f8:e8:9a:55:c2:4e:3e:
         5d:a2:2d:40:5c:f3:22:76:56:7b:67:cd:72:ed:92:b0:5c:09:
         c9:e9:5b:9a:12:45:96:1d:cf:da:d9:d7:4e:6e:5c:d9:19:97:
         2e:95:67:eb:85:26:e3:3b:a0:33:37:21:d4:02:ce:20:47:db:
         42:65:b9:48:73:4d:66:8a:17:05:fe:a0:15:65:d5:86:a5:2e:
         36:3f:78:7e:84:b4:e8:00:d8:55:c1:8f:2d:00:f3:45:e4:5b:
         36:c9:09:82:58:6b:a3:3c:61:ea:eb:cc:b8:b9:10:10:61:a3:
         5d:2c:bb:de:ac:90:28:d4:62:f2:7a:13:ce:ef:40:7f:28:8c:
         60:f7:24:bb:04:40:19:a0:64:2a:70:81:cb:b1:a0:cc:7f:24:
         f9:5a:ed:eb:fb:a9:3b:38:bf:4f:91:2a:b2:af:a6:54:14:fa:
         a2:c6:a2:81:9c:12:a8:69:66:b3:30:2c:43:06:ba:6b:81:8b:
         08:15:ee:47:dc:30:ca:de:b8:6e:02:a8:c3:d4:a6:ae:4e:65:
         fb:76:72:96:27:58:df:08:7d:64:b9:49:a8:24:47:f8:71:3f:
         3a:31:4d:a5:79:52:3f:03:f1:3b:f6:64:50:95:2b:7e:96:99:
         90:d0:26:93
  1. What did you expect to see?

The TiDB Server should reject the connection, because the client certificate was expired.

  1. What did you see instead?

Connected to TiDB Server successfully.

  1. What version of TiDB are you using (tidb-server -V or run select tidb_version(); on TiDB)?
Release Version: v3.0.8
Git Commit Hash: 8f13cf1449bd8903ff465a4f12ed89ecbac858a4
Git Branch: HEAD
UTC Build Time: 2019-12-31 11:14:59
GoVersion: go version go1.13 linux/amd64
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
@weekface weekface added the type/bug The issue is confirmed as a bug. label Mar 9, 2020
@weekface weekface mentioned this issue Mar 9, 2020
Closed
52 tasks
@SunRunAway SunRunAway added the security Everything related with security label Mar 11, 2020
@lysu
Copy link
Contributor

lysu commented Nov 4, 2020

it's caused by docker alpine image's SSL library question, with standard ubuntu based image it works well

@lysu lysu closed this as completed Nov 4, 2020
@ti-srebot
Copy link
Contributor

Please edit this comment to complete the following information

Not a bug

  1. Remove the 'type/bug' label
  2. Add notes to indicate why it is not a bug

Duplicate bug

  1. Add the 'type/duplicate' label
  2. Add the link to the original bug

Bug

Note: Make Sure that 'component', and 'severity' labels are added
Example for how to fill out the template: #20100

1. Root Cause Analysis (RCA) (optional)

2. Symptom (optional)

3. All Trigger Conditions (optional)

4. Workaround (optional)

5. Affected versions

6. Fixed versions

@lysu lysu removed type/bug The issue is confirmed as a bug. severity/major labels Nov 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lysu lysu

Labels
security Everything related with security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@weekface @lysu @SunRunAway @sre-bot @ti-srebot and others