MySqlConnector
MySqlConnector copied to clipboard
mysql-net
SSL Mode=VerifyFull error
I'm using MySqlConnector v0.69.9 with Pomelo EF Core driver v3.1.2. I'm trying to setup SSL connection to MySQL database. If I specify VerifyCA mode in my connection string, I'm able to connect and get no errors. When I try VerifyFull mode, I get "The remote certificate is invalid according to the validation procedure" error. It appears to be a host mismatch error, but I've looked and looked and can't seem to understand why this error occurs. The CN name of the certificate installed on the MySQL server matches the "Server" property of the connection string, so this is really odd.
Is there a way to log what certificate MySQLConnector receives inside ValidateRemoteCertificate(....) function? Could it be something other than the host mismatch error?
Thanks in advance.
One minor comment. If I use MySQL Workbench to connect to MySQL server, it works when I specify CA file with 'Require and Verify Identity' option in UI, but doing similar thing via .NET Core 3.1 program when setting VerifyFull and setting SslCa option to CA filename doesn't work. Any idea what's going on here?
What kind of MySQL Server are you using? Is it a standalone server, or a cluster? Self-managed, or cloud-managed? If you're using an Aurora cluster, have you read through the comments on https://github.com/mysql-net/MySqlConnector/issues/498#issuecomment-642860054?
What is the Subject in the SSL certificate the server is providing?
What version of .NET Core are you using?
Standalone MySQL 5.7.30. Using .NET Core 3.1. The subject in certificate contains CN name that matches the database server name. Also, when I switch to Oracle MySQL driver, same code works. I get no errors with VerifyFull option with Oracle MySQL driver and I get errors when using Pomelo/MySQL connector. This is really odd.
Here is my connection string: Port=3306;Convert Zero Datetime=True;Server=XXXX;Database=XXXX;User Id=XXXX;Password=XXXX;SSL Mode=VerifyFull;TreatTinyAsBoolean=false;
The server property in connection string is exact match of the CN name in certificate.
I think I know what's going on here. It seems like when VerifyFull option is used, the connector sets checkCertificateRevocation to true for SslStream.AuthenticateAsClientAsync() method. In Oracle driver code, it's always hardcoded to be false. I'm guessing by setting the flag to true with VerifyFull option, I get certificate chain errors from .NET Core framework itself. Is there a way to control revocation flag?
checkCertificateRevocation is set based on whether you're using VerifyFull (true) or VerifyCA (false).
If you don't have a valid certificate chain, and are willing to ignore certificate chain errors when connecting, I think you should use the VerifyCA option.
The certificate chain appears to be valid. However, both root cert and CA cert in the chain are internal certs, meaning company signed trusted certs. I created a separate program just to check the certificate chain against database certificate and I get no errors. The only plausible scenario is that the error I get is RemoteCertificateNotAvailable during certificate validation. Is that really possible? Maybe VerifyFull only intended to work with certificates signed by real certificate authorities like Verisign?
Just checking: are you supplying your custom CA to MySqlConnector using the SslCa (aka CACertificateFile) connection string option?
Yes. I did that as well. When I supplied SslCa value in connection string, I could see the certificate chain being loaded with 2 certificates (CA one and trusted root authority one) in the log file, but I was still getting errors. I even created my own custom program when I tried loading certificate chain and using caChain.Build() method with certificate, but I didn't get any errors from caChain.Build() method. That leads to believe that I'm getting RemoteCertificateNotAvailable error when certificate validation occurs, since this is the only reasonable explanation for the failure. I wish there was a way to log the actual SSL policy error code and maybe the certificate information in ValidateRemoteCertificate() method.