Re: How to use SSL? (SSL is enabled but not used)

Wed, 18 Aug 2010 11:35:01 -0700 

On 8/18/2010 2:22 PM, Anders Kaseorg wrote:

On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote:
If the server specifies REQUIRES SSL then that client cannot connect without going through the full SSL validation process. This means that Mallory would need to present the same security credentials that Alice has in order to qualify as a secure user (the same certs, same password, login from the correct host, etc). 


Mallory got the username and hashed password from Alice over the 
unencrypted connection, and we assume that Mallory, like any good MITM, 
has the ability to intercept and forge traffic for arbitrary hosts.  So 
this attack goes through against anyone using passwords over SSL.  This 
already constitutes a vulnerability.



Setting up client certificates does help to prevent this form of attack 
where Mallory tries to issue evil commands to Bob.  It does not, however, 
prevent the attack where Mallory ignores Bob, and uses only the 
unencrypted connection to steal data from Alice or poison her with false 
data.  This also constitutes a vulnerability, which, as far as I can see, 
cannot be prevented in any way with the current MySQL software.



Your redirect has pointed out to me what I missed in Yves's first post. 
In order for the client to require an SSL connection, you have to 
designate a certificate for it to use for the connection.


No, that doesn’t work either!  Against a server with SSL disabled:

$ mysql --ssl --ssl-verify-server-cert \
    --ssl-ca=/etc/ssl/certs/ca-certificates.crt \
    --ssl-cert=Private/andersk.pem \
    --ssl-key=Private/andersk.pem \
    -h MY-SERVER
Welcome to the MySQL monitor.  Commands end with ; or \g.
…
mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline 
6.1
…
SSL:                    Not in use


From the same page but a few lines above the line he quoted
##
This option is not sufficient in itself to cause an SSL connection to be used.
You must also specify the --ssl-ca option, and possibly the --ssl-cert and
--ssl-key options.
##


This documentation appears to be wrong.

Anders


Excellent logic.


I have updated bug #3138 with a private comment to explain your 
presentation of the vulnerability.

http://bugs.mysql.com/bug.php?id=3138

--
Shawn Green
MySQL Principal Technical Support Engineer
Oracle USA, Inc.
Office: Blountville, TN

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql?unsub=arch...@jab.org























					Reply via email to