Since OpenSSL 3.2, setting CA:TRUE seems to be required, otherwise we will get an error when trying to use CA file without the field. Example of such error using the openssl verify command:
$ openssl verify -CAfile ca-cert.pem client-cert.pem
CN=ca_mysql2gem
error 79 at 1 depth lookup: invalid CA certificate
error client-cert.pem: verification failed
I ran the script while I was at it to regenerate the files. I am not clear if it is desired for this PR.
JFTR, I am not sure how this will behave on earlier OpenSSLs, I am hoping the CI will provide with the answer.
We have OpenSSL 3.2.1 recently in Fedora Rawhide, as such we have the following
test suite failures when the certificate does not contain CA:TRUE in the X509v3 extensions:
Failures:
1) Mysql2::Client SSL should set ssl_mode option disabled
Failure/Error:
expect do
expect do
new_client(options)
end.not_to output(/does not support ssl_mode/).to_stderr
end.not_to raise_error
expected no Exception, got #<Mysql2::Error::ConnectionError: TLS/SSL error: invalid CA certificate> with backtrace:
# ./lib/mysql2/client.rb:97:in `connect'
# ./lib/mysql2/client.rb:97:in `initialize'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new_client'
# ./spec/mysql2/client_spec.rb:187:in `block (6 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:186:in `block (5 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:185:in `block (4 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:185:in `block (4 levels) in <top (required)>'
2) Mysql2::Client SSL should set ssl_mode option required
Failure/Error:
expect do
expect do
new_client(options)
end.not_to output(/does not support ssl_mode/).to_stderr
end.not_to raise_error
expected no Exception, got #<Mysql2::Error::ConnectionError: TLS/SSL error: invalid CA certificate> with backtrace:
# ./lib/mysql2/client.rb:97:in `connect'
# ./lib/mysql2/client.rb:97:in `initialize'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new_client'
# ./spec/mysql2/client_spec.rb:187:in `block (6 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:186:in `block (5 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:185:in `block (4 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:185:in `block (4 levels) in <top (required)>'
3) Mysql2::Client SSL should set ssl_mode option verify_identity
Failure/Error:
expect do
expect do
new_client(options)
end.not_to output(/does not support ssl_mode/).to_stderr
end.not_to raise_error
expected no Exception, got #<Mysql2::Error::ConnectionError: TLS/SSL error: invalid CA certificate> with backtrace:
# ./lib/mysql2/client.rb:97:in `connect'
# ./lib/mysql2/client.rb:97:in `initialize'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new_client'
# ./spec/mysql2/client_spec.rb:187:in `block (6 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:186:in `block (5 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:185:in `block (4 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:185:in `block (4 levels) in <top (required)>'
4) Mysql2::Client SSL should be able to connect via SSL options
Failure/Error: connect user, pass, host, port, database, socket, flags, conn_attrs
Mysql2::Error::ConnectionError:
TLS/SSL error: invalid CA certificate
# ./lib/mysql2/client.rb:97:in `connect'
# ./lib/mysql2/client.rb:97:in `initialize'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new'
# /builddir/build/BUILD/spec/spec_helper.rb:33:in `new_client'
# ./spec/mysql2/client_spec.rb:166:in `block (3 levels) in <top (required)>'
# ./spec/mysql2/client_spec.rb:195:in `block (3 levels) in <top (required)>'
Since OpenSSL 3.2, setting CA:TRUE seems to be required, otherwise we will get an error when trying to use CA file without the field. Example of such error using the openssl verify command:
I ran the script while I was at it to regenerate the files. I am not clear if it is desired for this PR.
JFTR, I am not sure how this will behave on earlier OpenSSLs, I am hoping the CI will provide with the answer.
We have OpenSSL 3.2.1 recently in Fedora Rawhide, as such we have the following test suite failures when the certificate does not contain CA:TRUE in the X509v3 extensions: