MySQL Lists are EOL. Please join:

List:General Discussion« Previous MessageNext Message »
From:Mark Matthews Date:August 18 2010 6:42pm
Subject:Re: How to use SSL? (SSL is enabled but not used)
View as plain text  
On Aug 18, 2010, at 1:34 PM, Shawn Green (MySQL) wrote:

> On 8/18/2010 2:22 PM, Anders Kaseorg wrote:
>> On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote:
>>> If the server specifies REQUIRES SSL then that client cannot connect without
> going through the full SSL validation process. This means that Mallory would need to
> present the same security credentials that Alice has in order to qualify as a secure user
> (the same certs, same password, login from the correct host, etc).
>> Mallory got the username and hashed password from Alice over the unencrypted
> connection, and we assume that Mallory, like any good MITM, has the ability to intercept
> and forge traffic for arbitrary hosts.  So this attack goes through against anyone using
> passwords over SSL.  This already constitutes a vulnerability.
>> Setting up client certificates does help to prevent this form of attack where
> Mallory tries to issue evil commands to Bob.  It does not, however, prevent the attack
> where Mallory ignores Bob, and uses only the unencrypted connection to steal data from
> Alice or poison her with false data.  This also constitutes a vulnerability, which, as far
> as I can see, cannot be prevented in any way with the current MySQL software.
>>> Your redirect has pointed out to me what I missed in Yves's first post. In
> order for the client to require an SSL connection, you have to designate a certificate for
> it to use for the connection.
>> No, that doesn’t work either!  Against a server with SSL disabled:
>> $ mysql --ssl --ssl-verify-server-cert \
>>    --ssl-ca=/etc/ssl/certs/ca-certificates.crt \
>>    --ssl-cert=Private/andersk.pem \
>>    --ssl-key=Private/andersk.pem \
>>    -h MY-SERVER
>> Welcome to the MySQL monitor.  Commands end with ; or \g.
>> …
>> mysql> \s
>> --------------
>> mysql  Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline
> 6.1
>> …
>> SSL:			Not in use
>>> From the same page but a few lines above the line he quoted
>>> ##
>>> This option is not sufficient in itself to cause an SSL connection to be
> used.
>>> You must also specify the --ssl-ca option, and possibly the --ssl-cert and
>>> --ssl-key options.
>>> ##
>> This documentation appears to be wrong.
>> Anders
> 
> Excellent logic.
> 
> I have updated bug #3138 with a private comment to explain your presentation of the
> vulnerability.
> http://bugs.mysql.com/bug.php?id=3138

Shawn, Anders, Yves,

For what it's worth, the MySQL JDBC driver has had client-side SSL require (i.e.
"requireSSL=true") since 2003 and the ADO.Net driver has had "SSL Mode=Required" since
2009.

	-Mark
-- 
Mark Matthews
Principal Software Developer -  MySQL Enterprise Tools
Oracle
http://www.mysql.com/products/enterprise/monitor.html







Thread
How to use SSL? (SSL is enabled but not used)Yves Goergen26 Jul
  • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen9 Aug
    • Re: How to use SSL? (SSL is enabled but not used)MySQL)11 Aug
      • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
        • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
        • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
          • Re: How to use SSL? (SSL is enabled but not used)Anders Kaseorg18 Aug
            • Re: How to use SSL? (SSL is enabled but not used)MySQL)18 Aug
              • Re: How to use SSL? (SSL is enabled but not used)Mark Matthews18 Aug
                • Re: How to use SSL? (SSL is enabled but not used)Yves Goergen18 Aug