[Maria-developers] MDEV-7937: Enforce SSL when --ssl client option is used
Hi Sergei! I've done some work on this issue. I've read MySQL's implementation of this and have looked at our implementation. They have done a bit of refactoring, introducing an enforce_ssl flag, as well as changing the C interface a bit, to allow setting this flag programatically. I've created a patch here that changes the minimum amount possible, in order to implement what MDEV-7937 requires. That being said, I agree with (most of) MySQL's refactoring in this case. They've moved all the SSL related connection code into its own separate function, before actually calling send_client_reply_packet. I can work towards implementing things the way MySQL does, but since I saw that you've actually done most of the work in that area of the code, I figured I'd ask for your input on it. There are two more things that I'm not sure of: 1. Specifying --ssl as a command line parameter to the mysql client is not enough to enforce ssl and the client's code in this case just ignores the option. We need to provide at least one of the additional ones like --ssl-key or --ssl-ca. My patch will not cause the client to report an error in this case. Is this acceptable behaviour or not? 2. Do we want mysql's enforce_ssl feature? Regards, Vicențiu
Hi, Vicențiu! On May 17, Vicențiu Ciorbaru wrote:
Hi Sergei!
I've done some work on this issue. I've read MySQL's implementation of this and have looked at our implementation. They have done a bit of refactoring, introducing an enforce_ssl flag, as well as changing the C interface a bit, to allow setting this flag programatically.
I didn't check what they did. Do you, perhaps, have links to MySQL commits?
There are two more things that I'm not sure of: 1. Specifying --ssl as a command line parameter to the mysql client is not enough to enforce ssl and the client's code in this case just ignores the option. We need to provide at least one of the additional ones like --ssl-key or --ssl-ca. My patch will not cause the client to report an error in this case. Is this acceptable behaviour or not?
Up to you. I agree that this behavior is confusing.
2. Do we want mysql's enforce_ssl feature?
With your patch we don't need it, do we? ===================== A related thought.... Even if you enforce SSL, you still cannot be sure that there is no MITM. You can be connected to an SSL proxy that decrypts your data, modifies them, if needed, and then sends (over SSL) to the server. To know that you connect to the actual MariaDB server, you need to check the certificate, the mere fact of SSL encryption is not enough. Right? And if you check the SSL certificate, then there is no need to "enforce SSL", because you won't connect if you won't see the correct certificate anyway. If I'm right it means that enforcing SSL isn't very useful. Those who care about their connection security, they check certificates. Those who don't do that - they get a false sense of security by "enforcing SSL". Is that so? If yes, it means the efforts should be not simpy to "enforce SSL", but to have a good certificate verification check (I don't know if the existing one is good enough) and to double-check that if CLIENT_SSL_VERIFY_SERVER_CERT flag is used, then we never connect without verifying the certificate (I think without SSL the verification is simply skipped now). Regards, Sergei
participants (2)
-
Sergei Golubchik -
Vicențiu Ciorbaru