8000 Fix SSL CA validation. Fixes #1462 · mysql-net/MySqlConnector@e855216 · GitHub
[go: up one dir, main page]
Skip to content

Commit e855216

Browse files
bgraingerbgrainger
committed
Fix SSL CA validation. Fixes #1462
Build a chain from the last certificate in the certificate chain presented by the remote server. If we have an untrusted root, verify that the root certificate in the chain is one of the certificates specified by MySqlConnectionStringBuilder.SslCa.
1 parent d9e59c7 commit e855216

File tree

1 file changed

+17
-5
lines changed

1 file changed

+17
-5
lines changed

src/MySqlConnector/Core/ServerSession.cs

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1389,18 +1389,30 @@ private async Task InitSslAsync(ProtocolCapabilities serverCapabilities, Connect
13891389

13901390
bool ValidateRemoteCertificate(object rcbSender, X509Certificate? rcbCertificate, X509Chain? rcbChain, SslPolicyErrors rcbPolicyErrors)
13911391
{
1392+
// if no CA verification is required, then we trust any remote certificate
13921393
if (cs.SslMode is MySqlSslMode.Preferred or MySqlSslMode.Required)
13931394
return true;
13941395

1396+
// if there are errors, then try to build a path to a root certificate from the certificates presented by the remote host
13951397
if ((rcbPolicyErrors & SslPolicyErrors.RemoteCertificateChainErrors) != 0 &&
1396-
rcbCertificate is not null &&
1398+
rcbChain is not null &&
13971399
caCertificateChain is not null &&
1398-
caCertificateChain.Build((X509Certificate2) rcbCertificate) &&
1400+
caCertificateChain.Build(rcbChain.ChainElements[^1].Certificate) &&
13991401
caCertificateChain.ChainStatus.Length > 0)
14001402
{
1401-
var chainStatus = caCertificateChain.ChainStatus[0].Status & ~X509ChainStatusFlags.UntrustedRoot;
1402-
if (chainStatus == X509ChainStatusFlags.NoError)
1403-
rcbPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
1403+
// if the only error is an Untrusted Root Certificate, then check all provided SSL CA certificates to see if one is the root
1404+
if (caCertificateChain.ChainStatus[0].Status == X509ChainStatusFlags.UntrustedRoot)
1405+
{
1406+
var rootCertificate = caCertificateChain.ChainElements[^1].Certificate;
1407+
foreach (var sslCaCertificate in caCertificateChain.ChainPolicy.ExtraStore)
1408+
{
1409+
if (rootCertificate.RawData.AsSpan().SequenceEqual(sslCaCertificate.RawData))
1410+
{
1411+
rcbPolicyErrors &= ~SslPolicyErrors.RemoteCertificateChainErrors;
1412+
break;
1413+
}
1414+
}
1415+
}
14041416
}
14051417

14061418
if (cs.SslMode == MySqlSslMode.VerifyCA)

0 commit comments

Comments
 (0)
0