MySQL Lists are EOL. Please join:

List:General Discussion« Previous MessageNext Message »
From:Shawn Green (MySQL) Date:August 18 2010 6:34pm
Subject:Re: How to use SSL? (SSL is enabled but not used)
View as plain text  
On 8/18/2010 2:22 PM, Anders Kaseorg wrote:
> On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote:
>> If the server specifies REQUIRES SSL then that client cannot connect 
>> without going through the full SSL validation process. This means that 
>> Mallory would need to present the same security credentials that Alice 
>> has in order to qualify as a secure user (the same certs, same password, 
>> login from the correct host, etc).
> 
> Mallory got the username and hashed password from Alice over the 
> unencrypted connection, and we assume that Mallory, like any good MITM, 
> has the ability to intercept and forge traffic for arbitrary hosts.  So 
> this attack goes through against anyone using passwords over SSL.  This 
> already constitutes a vulnerability.
> 
> Setting up client certificates does help to prevent this form of attack 
> where Mallory tries to issue evil commands to Bob.  It does not, however, 
> prevent the attack where Mallory ignores Bob, and uses only the 
> unencrypted connection to steal data from Alice or poison her with false 
> data.  This also constitutes a vulnerability, which, as far as I can see, 
> cannot be prevented in any way with the current MySQL software.
> 
>> Your redirect has pointed out to me what I missed in Yves's first post. 
>> In order for the client to require an SSL connection, you have to 
>> designate a certificate for it to use for the connection.
> 
> No, that doesn’t work either!  Against a server with SSL disabled:
> 
> $ mysql --ssl --ssl-verify-server-cert \
>     --ssl-ca=/etc/ssl/certs/ca-certificates.crt \
>     --ssl-cert=Private/andersk.pem \
>     --ssl-key=Private/andersk.pem \
>     -h MY-SERVER
> Welcome to the MySQL monitor.  Commands end with ; or \g.
> …
> mysql> \s
> --------------
> mysql  Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline 6.1
> …
> SSL:			Not in use
> 
>> From the same page but a few lines above the line he quoted
>> ##
>> This option is not sufficient in itself to cause an SSL connection to be used.
>> You must also specify the --ssl-ca option, and possibly the --ssl-cert and
>> --ssl-key options.
>> ##
> 
> This documentation appears to be wrong.
> 
> Anders

Excellent logic.

I have updated bug #3138 with a private comment to explain your 
presentation of the vulnerability.
http://bugs.mysql.com/bug.php?id=3138

-- 
Shawn Green
MySQL Principal Technical Support Engineer
Oracle USA, Inc.
Office: Blountville, TN
Thread
How to use SSL? (SSL is enabled but not used)Yves Goergen26 Jul
  • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen9 Aug
    • Re: How to use SSL? (SSL is enabled but not used)MySQL)11 Aug
      • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
        • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
        • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
            • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
              • Re: How to use SSL? (SSL is enabled but not used)Mark Matthews18 Aug
                • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen18 Aug