>Description: I configured mysql to check for the subject and issuer of a clients cert. It seems that mysql can check the issuer of a cert but does not verify if the cert was really signed by a CA that is known to the server. I could generate a second client cert from the same key but another totally faked CA (but with the same strings) and it was accepted, too. "openssl verify" does discover such attacks! >How-To-Repeat: Configure and test SSL. Now generate a second CA. Then sign one of the clients keys with the second CA which happens to have the same strings (i.e. O=,CN=,OU=) but of course has another secret key. Try the old and new client key, they work both! $ mysql -umy --ssl-key=my-key.pem --ssl-cert=fakemy-cert.pem $ mysql -umy --ssl-key=my-key.pem --ssl-cert=my-cert.pem My mysqld setup: [mysqld] ssl-ca=/etc/mysql/cacert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem MySQL should behave like openssl: $ openssl verify -CAfile /etc/mysql/cacert.pem my-cert.pem my-cert.pem: OK $ openssl verify -CAfile /etc/mysql/cacert.pem fakemy-cert.pem fakemy-cert.pem: /C=DE/ST=NRW/L=Aachen/[EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure
>Fix: Don't know. >Submitter-Id: <submitter ID> >Originator: Christian Hammers >Organization: Debian Project >MySQL support: none >Synopsis: Missing x509 CA verification.> >Severity: serious >Priority: medium >Category: mysql >Class: sw-bug >Release: mysql-4.0.12 (Source distribution) >Server: /usr/bin/mysqladmin Ver 8.40 Distrib 4.0.12, for pc-linux-gnu on i686 Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL license Server version 4.0.12-log Protocol version 10 Connection Localhost via UNIX socket UNIX socket /var/run/mysqld/mysqld.sock Uptime: 2 min 35 sec Threads: 1 Questions: 9 Slow queries: 0 Opens: 6 Flush tables: 1 Open tables: 0 Queries per second avg: 0.058 >C compiler: gcc (GCC) 3.2.3 20030316 (Debian prerelease) >C++ compiler: c++ (GCC) 3.2.3 20030316 (Debian prerelease) >Environment: System: Linux app109 2.4.20 #2 Tue Feb 25 20:11:12 CET 2003 i686 unknown unknown GNU/Linux Architecture: i686 Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc /usr/bin/cc GCC: Reading specs from /usr/lib/gcc-lib/i386-linux/3.2.3/specs Configured with: ../src/configure -v --enable-languages=c,c++,java,f77,proto,pascal,objc,ada --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-gxx-include-dir=/usr/include/c++/3.2 --enable-shared --with-system-zlib --enable-nls --without-included-gettext --enable-__cxa_atexit --enable-clocale=gnu --enable-java-gc=boehm --enable-objc-gc i386-linux Thread model: posix gcc version 3.2.3 20030316 (Debian prerelease) Compilation info: CC='gcc' CFLAGS='' CXX='c++' CXXFLAGS='' LDFLAGS='' ASFLAGS='' LIBC: lrwxrwxrwx 1 root root 13 2003-03-25 21:47 /lib/libc.so.6 -> libc-2.3.1.so -rwxr-xr-x 1 root root 1104040 2003-03-21 17:19 /lib/libc-2.3.1.so -rw-r--r-- 1 root root 2338008 2003-03-21 17:19 /usr/lib/libc.a -rw-r--r-- 1 root root 178 2003-03-21 17:19 /usr/lib/libc.so -rw-r--r-- 1 root root 716080 2002-01-13 21:06 /usr/lib/libc-client.so.2001 Configure command: ./configure --prefix=/usr --exec-prefix=/usr --libexecdir=/usr/sbin --datadir=/usr/share --sysconfdir=/etc/mysql --localstatedir=/var/lib/mysql --includedir=/usr/include --infodir=/usr/share/info --mandir=/usr/share/man --enable-shared --enable-static --enable-thread-safe-client --enable-assembler --enable-local-infile --with-raid --with-unix-socket-path=/var/run/mysqld/mysqld.sock --with-mysqld-user=mysql --with-libwrap --with-client-ldflags=-lstdc++ --with-embedded-server --with-vio --with-openssl --without-docs --without-bench --without-readline --with-extra-charsets=all --with-berkeley-db --with-innodb -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]