Hi, Dulux-Oz, The error comes from MariaDB trying to check your "REQUIRE SUBJECT" clause.
If you check documentation - https://mariadb.com/kb/en/grant/#tls-options - you'll see than an example of REQUIRE SUBJECT looks like GRANT USAGE ON *.* TO 'alice'@'%' REQUIRE SUBJECT '/CN=alice/O=My Dom, Inc./C=US/ST=Oregon/L=Portland'; That is, you need to specify a slash as a part of the subject. Internally "subject" is retrieved using OpenSSL function X509_NAME_oneline() and what you specify in REQUIRE SUBJECT must match that. MariaDB doesn't do any parsing of the subject of any kind. Regards, Sergei Chief Architect, MariaDB Server and secur...@mariadb.org On Jan 24, duluxoz via discuss wrote: > Hi All, > > I'm not sure if this is was Postfix issue, a TLS Certificate issue, > and/or a MariaDB issue, so I started in the Postfix mailing lists. Their > reply (below) indicated that I should post here instead - apologises if > this is not the right place. > > My original post: > > I'm using a MariaDB backend to Postfix. Everything is working correctly > until I attempt to secure the Postfix<->MariaDB connection with a TLS > Certificate. When I perform a `postmap -q example.com > mysql:/etc/postfix/virtual_domains.cf` command on the postfix server > *without* using TLS I get a successful response. However, when I engage > TLS I get the following error in the MariaDB log: `X509 subject > mismatch: should be 'CN=mail_u...@example.com' but is > '/CN=mail_u...@example.com'`. > > Now, obviously the issue is the extra '/' at the start of the 'CN=', but > for the life of me I can't figure out where that '/' is coming from. > > It is *not* in the TLS Certificate (verified by OpenSSL). > > It is *not* in the virtual_domains.cf file (see below). > > It is *not* in the MariaDB 'GRANT' statement used to allow access to the > database: `GRANT SELECT ON mail_server.* TO 'mail_user'@'example.com' > IDENTIFIED BY '{PASWORD OBSCURED}' REQUIRE SUBJECT > 'CN=mail_u...@example.com'`. > > OS of both servers: Rocky Linux 9.5 > > Postfix Version: 3.9.1 > > MariaDB Version: 11.6.2 > > virtual_domains.cf: > > ~~~ > hosts = mariadb.example.com > dbname = mail_server > user = mail_user > password = {PASWORD OBSCURED} > tls_cert_file = /etc/pki/tls/certs/mail_u...@exampl.com.crt > tls_key_file = /etc/pki/tls/certs/mail_u...@exampl.com.key > tls_CApath = /etc/pki/tls/certs/root_ca.crt > query = SELECT TRUE FROM virtual_domains WHERE domain_name='%s' > ~~~ > > The Postfix mailing List Reply: > > There is (of course if happens to know too much about X.509 naming) no > such "slash" in the actual certificate. The subject DN is a sequence > of relative distinguished names (RDNs) of which CN=... is in this > case the first element. There are many ways to write the sequence > as a string, the two most popular are: > > /RDN1/RDN2/.../RDNx > RDN1, RDN2, ..., RNDx > > It looks you have a buggy MariaDB library that expects to get DNs in the > second format, but ends up with the first, because of a failure to be > specific about the format, or just outright getting it wrong... > > Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something > about the way OpenSSL was built? Anyway, Postfix is just the messenger, > it is the MariaDB library that sets up TLS connection. > > Could someone please point me in the right direction to get this sorted > - thanks > > > Cheers > > Dulux-Oz > _______________________________________________ discuss mailing list -- discuss@lists.mariadb.org To unsubscribe send an email to discuss-le...@lists.mariadb.org
