Thanks Victor,
As I said, I didn't know if it was a Postfix, TLS Cert, or MariaDB
issue. I'll post over in the MariaDB lists.
On 24/1/25 18:24, Viktor Dukhovni via Postfix-users wrote:
On Fri, Jan 24, 2025 at 03:30:43PM +1100, duluxoz via Postfix-users wrote:
I'm using a MariaDB backend to Postfix. Everything is working correctly
until I attempt to secure the Postfix<->MariaDB connection with a TLS
Certificate. When I perform a `postmap -q example.com
mysql:/etc/postfix/virtual_domains.cf` command on the postfix server
*without* using TLS I get a successful response. However, when I engage TLS
I get the following error in the MariaDB log: `X509 subject mismatch: should
be 'CN=mail_u...@example.com' but is '/CN=mail_u...@example.com'`.
Now, obviously the issue is the extra '/' at the start of the 'CN=', but for
the life of me I can't figure out where that '/' is coming from.
There is (of course if happens to know too much about X.509 naming) no
such "slash" in the actual certificate. The subject DN is a sequence
of relative distinguished names (RDNs) of which CN=... is in this
case the first element. There are many ways to write the sequence
as a string, the two most popular are:
/RDN1/RDN2/.../RDNx
RDN1, RDN2, ..., RNDx
It looks you have a buggy MariaDB library that expects to get DNs in the
second format, but ends up with the first, because of a failure to be
specific about the format, or just outright getting it wrong...
Perhaps the default changed between OpenSSL 1.1.1 and 3.0, or something
about the way OpenSSL was built? Anyway, Postfix is just the messenger,
it is the MariaDB library that sets up TLS connection.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
