On Aug 18, 2010, at 1:34 PM, Shawn Green (MySQL) wrote: > On 8/18/2010 2:22 PM, Anders Kaseorg wrote: >> On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote: >>> If the server specifies REQUIRES SSL then that client cannot connect >>> without going through the full SSL validation process. This means that >>> Mallory would need to present the same security credentials that Alice has >>> in order to qualify as a secure user (the same certs, same password, login >>> from the correct host, etc). >> Mallory got the username and hashed password from Alice over the unencrypted >> connection, and we assume that Mallory, like any good MITM, has the ability >> to intercept and forge traffic for arbitrary hosts. So this attack goes >> through against anyone using passwords over SSL. This already constitutes a >> vulnerability. >> Setting up client certificates does help to prevent this form of attack >> where Mallory tries to issue evil commands to Bob. It does not, however, >> prevent the attack where Mallory ignores Bob, and uses only the unencrypted >> connection to steal data from Alice or poison her with false data. This >> also constitutes a vulnerability, which, as far as I can see, cannot be >> prevented in any way with the current MySQL software. >>> Your redirect has pointed out to me what I missed in Yves's first post. In >>> order for the client to require an SSL connection, you have to designate a >>> certificate for it to use for the connection. >> No, that doesn’t work either! Against a server with SSL disabled: >> $ mysql --ssl --ssl-verify-server-cert \ >> --ssl-ca=/etc/ssl/certs/ca-certificates.crt \ >> --ssl-cert=Private/andersk.pem \ >> --ssl-key=Private/andersk.pem \ >> -h MY-SERVER >> Welcome to the MySQL monitor. Commands end with ; or \g. >> … >> mysql> \s >> -------------- >> mysql Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using >> readline 6.1 >> … >> SSL: Not in use >>> From the same page but a few lines above the line he quoted >>> ## >>> This option is not sufficient in itself to cause an SSL connection to be >>> used. >>> You must also specify the --ssl-ca option, and possibly the --ssl-cert and >>> --ssl-key options. >>> ## >> This documentation appears to be wrong. >> Anders > > Excellent logic. > > I have updated bug #3138 with a private comment to explain your presentation > of the vulnerability. > http://bugs.mysql.com/bug.php?id=3138
Shawn, Anders, Yves, For what it's worth, the MySQL JDBC driver has had client-side SSL require (i.e. "requireSSL=true") since 2003 and the ADO.Net driver has had "SSL Mode=Required" since 2009. -Mark -- Mark Matthews Principal Software Developer - MySQL Enterprise Tools Oracle http://www.mysql.com/products/enterprise/monitor.html -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org