MySQL Lists are EOL. Please join:

List:General Discussion« Previous MessageNext Message »
From:Anders Kaseorg Date:August 18 2010 6:22pm
Subject:Re: How to use SSL? (SSL is enabled but not used)
View as plain text  
On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote:
> If the server specifies REQUIRES SSL then that client cannot connect 
> without going through the full SSL validation process. This means that 
> Mallory would need to present the same security credentials that Alice 
> has in order to qualify as a secure user (the same certs, same password, 
> login from the correct host, etc).

Mallory got the username and hashed password from Alice over the 
unencrypted connection, and we assume that Mallory, like any good MITM, 
has the ability to intercept and forge traffic for arbitrary hosts.  So 
this attack goes through against anyone using passwords over SSL.  This 
already constitutes a vulnerability.

Setting up client certificates does help to prevent this form of attack 
where Mallory tries to issue evil commands to Bob.  It does not, however, 
prevent the attack where Mallory ignores Bob, and uses only the 
unencrypted connection to steal data from Alice or poison her with false 
data.  This also constitutes a vulnerability, which, as far as I can see, 
cannot be prevented in any way with the current MySQL software.

> Your redirect has pointed out to me what I missed in Yves's first post. 
> In order for the client to require an SSL connection, you have to 
> designate a certificate for it to use for the connection.

No, that doesn’t work either!  Against a server with SSL disabled:

$ mysql --ssl --ssl-verify-server-cert \
    --ssl-ca=/etc/ssl/certs/ca-certificates.crt \
    --ssl-cert=Private/andersk.pem \
    --ssl-key=Private/andersk.pem \
    -h MY-SERVER
Welcome to the MySQL monitor.  Commands end with ; or \g.
…
mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline 6.1
…
SSL:			Not in use

> From the same page but a few lines above the line he quoted
> ##
> This option is not sufficient in itself to cause an SSL connection to be used.
> You must also specify the --ssl-ca option, and possibly the --ssl-cert and
> --ssl-key options.
> ##

This documentation appears to be wrong.

Anders
Thread
How to use SSL? (SSL is enabled but not used)Yves Goergen26 Jul
  • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen9 Aug
    • Re: How to use SSL? (SSL is enabled but not used)MySQL)11 Aug
      • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
        • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
        • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
            • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
              • Re: How to use SSL? (SSL is enabled but not used)Mark Matthews18 Aug
                • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen18 Aug