On 8/18/2010 2:22 PM, Anders Kaseorg wrote:
On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote:
If the server specifies REQUIRES SSL then that client cannot connect
without going through the full SSL validation process. This means that
Mallory would need to present the same security credentials that Alice
has in order to qualify as a secure user (the same certs, same password,
login from the correct host, etc).
Mallory got the username and hashed password from Alice over the
unencrypted connection, and we assume that Mallory, like any good MITM,
has the ability to intercept and forge traffic for arbitrary hosts. So
this attack goes through against anyone using passwords over SSL. This
already constitutes a vulnerability.
Setting up client certificates does help to prevent this form of attack
where Mallory tries to issue evil commands to Bob. It does not, however,
prevent the attack where Mallory ignores Bob, and uses only the
unencrypted connection to steal data from Alice or poison her with false
data. This also constitutes a vulnerability, which, as far as I can see,
cannot be prevented in any way with the current MySQL software.
Your redirect has pointed out to me what I missed in Yves's first post.
In order for the client to require an SSL connection, you have to
designate a certificate for it to use for the connection.
No, that doesn’t work either! Against a server with SSL disabled:
$ mysql --ssl --ssl-verify-server-cert \
--ssl-ca=/etc/ssl/certs/ca-certificates.crt \
--ssl-cert=Private/andersk.pem \
--ssl-key=Private/andersk.pem \
-h MY-SERVER
Welcome to the MySQL monitor. Commands end with ; or \g.
…
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline
6.1
…
SSL: Not in use
From the same page but a few lines above the line he quoted
##
This option is not sufficient in itself to cause an SSL connection to be used.
You must also specify the --ssl-ca option, and possibly the --ssl-cert and
--ssl-key options.
##
This documentation appears to be wrong.
Anders
Excellent logic.
I have updated bug #3138 with a private comment to explain your
presentation of the vulnerability.
http://bugs.mysql.com/bug.php?id=3138
--
Shawn Green
MySQL Principal Technical Support Engineer
Oracle USA, Inc.
Office: Blountville, TN
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org