Hi, Vicențiu! On May 17, Vicențiu Ciorbaru wrote:
Hi Sergei!
I've done some work on this issue. I've read MySQL's implementation of this and have looked at our implementation. They have done a bit of refactoring, introducing an enforce_ssl flag, as well as changing the C interface a bit, to allow setting this flag programatically.
I didn't check what they did. Do you, perhaps, have links to MySQL commits?
There are two more things that I'm not sure of: 1. Specifying --ssl as a command line parameter to the mysql client is not enough to enforce ssl and the client's code in this case just ignores the option. We need to provide at least one of the additional ones like --ssl-key or --ssl-ca. My patch will not cause the client to report an error in this case. Is this acceptable behaviour or not?
Up to you. I agree that this behavior is confusing.
2. Do we want mysql's enforce_ssl feature?
With your patch we don't need it, do we? ===================== A related thought.... Even if you enforce SSL, you still cannot be sure that there is no MITM. You can be connected to an SSL proxy that decrypts your data, modifies them, if needed, and then sends (over SSL) to the server. To know that you connect to the actual MariaDB server, you need to check the certificate, the mere fact of SSL encryption is not enough. Right? And if you check the SSL certificate, then there is no need to "enforce SSL", because you won't connect if you won't see the correct certificate anyway. If I'm right it means that enforcing SSL isn't very useful. Those who care about their connection security, they check certificates. Those who don't do that - they get a false sense of security by "enforcing SSL". Is that so? If yes, it means the efforts should be not simpy to "enforce SSL", but to have a good certificate verification check (I don't know if the existing one is good enough) and to double-check that if CLIENT_SSL_VERIFY_SERVER_CERT flag is used, then we never connect without verifying the certificate (I think without SSL the verification is simply skipped now). Regards, Sergei