Azure-docs: not verifying the certificate

@roelal Thanks for the feedback! We are currently investigating and will update you shortly.

@roelal Thank you for the detailed feedback. It is possible an update to the document has been made as I am not able to find any reference to trustServerCertificate=false. The Java (MariaDB) client sample is using true.

url = String.format("jdbc:mariadb://%s/%s?useSSL=true&trustServerCertificate=true", 'mydemoserver.mariadb.database.azure.com', 'quickstartdb');

Sorry, I meant trustServerCertificate=true. Which means that the server certificate is not verified. See the mariadb connector docs.

Thanks for the feedback! I have assigned the issue to the content author to evaluate and update as appropriate.

@roelal, we are in the process of fixing the server certificate to include the host name. Once that fix is available, you will be able to use trustServerCertificate=false. I will update this thread when the fix is available.

Thx, @ajlam . That sounds good. Can I follow that process anywhere? Was it announced?

@roelal, unfortunately there is no deployment announcement. I will keep you posted on the availability.

@roelal, I will keep you posted on this thread with deployment updates.

Closing this issue for now. #please-close

Why are you closing this issue? This is something that users would certainly want to know about. Currently, MariaDB on Azure is only accessible if you disable TLS or disable server identification. That is a big deal.

And it's an easy fix, too. All you have to do is add *.mariadb.database.azure.com to the subjectAltName extension on your X.509 certificates that you deploy.

While we are on the subject, you're using a wildcard certificate that has excessively generous wildcards. The common name is cr1.eastus1-a.control.database.windows.net, and these are all of the Subject Alternative Names:

cr1.eastus1-a.control.database.windows.net
*.cr1.eastus1-a.control.database.windows.net
eastus1-a.control.database.windows.net
*.eastus1-a.control.database.windows.net
*.database.windows.net
*.secondary.database.windows.net
*.mysql.database.azure.com
*.postgres.database.azure.com

This means that if the private key that you use to encrypt traffic to one database is exfiltrated, literally every single Azure MySQL and Postgres connection can be intercepted and decrypted. And there may be other database types affected--I just have not checked. This is very poorly configured, and surprising given Microsoft's reputation for state-of-the-art cybersecurity.

I would be happy to help give more detail on how to configure TLS better. The gist is to automate deployment of endpoint-specific certificates. (And, no, this is not an attempt to sell you anything; I would help for free because I am a nerd.)

@JonathanWilbur, thanks for the comment. Our fix to add MariaDB to our SAN is in the process of rolling out. We had a delay in our deployment schedule, which is why it has taken a bit longer than intended for the changes to be made available for the MariaDB service.

ETA May 17th for rollout.

@ajlam Is the new certificate covering MariaDB rolled out? I still receive error when connecting over SSL.

Caused by: java.sql.SQLNonTransientConnectionException: SSL hostname verification failed : DNS host "xxx.mariadb.database.azure.com" doesn't correspond to certificate CN "cr1.westeurope1-a.control.database.windows.net" and SAN[{DNS:"cr1.westeurope1-a.control.database.windows.net"},{DNS:"*.cr1.westeurope1-a.control.database.windows.net"},{DNS:"westeurope1-a.control.database.windows.net"},{DNS:"*.westeurope1-a.control.database.windows.net"},{DNS:"*.database.windows.net"},{DNS:"*.secondary.database.windows.net"},{DNS:"*.mysql.database.azure.com"},{DNS:"*.postgres.database.azure.com"}]

My apologies for the delay. The new certificate should be rolled out.