On Aug 18, 2010, at 1:34 PM, Shawn Green (MySQL) wrote:
> On 8/18/2010 2:22 PM, Anders Kaseorg wrote:
>> On Wed, 18 Aug 2010, Shawn Green (MySQL) wrote:
>>> If the server specifies REQUIRES SSL then that client cannot connect
>>> without going through the full SSL validation process. This means that
>>> Mallory would need to present the same security credentials that Alice has
>>> in order to qualify as a secure user (the same certs, same password, login
>>> from the correct host, etc).
>> Mallory got the username and hashed password from Alice over the unencrypted
>> connection, and we assume that Mallory, like any good MITM, has the ability
>> to intercept and forge traffic for arbitrary hosts. So this attack goes
>> through against anyone using passwords over SSL. This already constitutes a
>> vulnerability.
>> Setting up client certificates does help to prevent this form of attack
>> where Mallory tries to issue evil commands to Bob. It does not, however,
>> prevent the attack where Mallory ignores Bob, and uses only the unencrypted
>> connection to steal data from Alice or poison her with false data. This
>> also constitutes a vulnerability, which, as far as I can see, cannot be
>> prevented in any way with the current MySQL software.
>>> Your redirect has pointed out to me what I missed in Yves's first post. In
>>> order for the client to require an SSL connection, you have to designate a
>>> certificate for it to use for the connection.
>> No, that doesn’t work either! Against a server with SSL disabled:
>> $ mysql --ssl --ssl-verify-server-cert \
>> --ssl-ca=/etc/ssl/certs/ca-certificates.crt \
>> --ssl-cert=Private/andersk.pem \
>> --ssl-key=Private/andersk.pem \
>> -h MY-SERVER
>> Welcome to the MySQL monitor. Commands end with ; or \g.
>> …
>> mysql> \s
>> --------------
>> mysql Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using
>> readline 6.1
>> …
>> SSL: Not in use
>>> From the same page but a few lines above the line he quoted
>>> ##
>>> This option is not sufficient in itself to cause an SSL connection to be
>>> used.
>>> You must also specify the --ssl-ca option, and possibly the --ssl-cert and
>>> --ssl-key options.
>>> ##
>> This documentation appears to be wrong.
>> Anders
>
> Excellent logic.
>
> I have updated bug #3138 with a private comment to explain your presentation
> of the vulnerability.
> http://bugs.mysql.com/bug.php?id=3138
Shawn, Anders, Yves,
For what it's worth, the MySQL JDBC driver has had client-side SSL require
(i.e. "requireSSL=true") since 2003 and the ADO.Net driver has had "SSL
Mode=Required" since 2009.
-Mark
--
Mark Matthews
Principal Software Developer - MySQL Enterprise Tools
Oracle
http://www.mysql.com/products/enterprise/monitor.html
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[email protected]
