>Description:
I configured mysql to check for the subject and issuer of a clients
cert. It seems that mysql can check the issuer of a cert but does not
verify if the cert was really signed by a CA that is known to the
server. I could generate a second client cert from the same key but
another totally faked CA (but with the same strings) and it was
accepted, too.
"openssl verify" does discover such attacks!
>How-To-Repeat:
Configure and test SSL. Now generate a second CA. Then sign one of
the clients keys with the second CA which happens to have the same
strings (i.e. O=,CN=,OU=) but of course has another secret key.
Try the old and new client key, they work both!
$ mysql -umy --ssl-key=my-key.pem --ssl-cert=fakemy-cert.pem
$ mysql -umy --ssl-key=my-key.pem --ssl-cert=my-cert.pem
My mysqld setup:
[mysqld]
ssl-ca=/etc/mysql/cacert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
MySQL should behave like openssl:
$ openssl verify -CAfile /etc/mysql/cacert.pem my-cert.pem
my-cert.pem: OK
$ openssl verify -CAfile /etc/mysql/cacert.pem fakemy-cert.pem
fakemy-cert.pem: /C=DE/ST=NRW/L=Aachen/[EMAIL PROTECTED]
error 7 at 0 depth lookup:certificate signature failure
>Fix:
Don't know.
>Submitter-Id: <submitter ID>
>Originator: Christian Hammers
>Organization:
Debian Project
>MySQL support: none
>Synopsis: Missing x509 CA verification.>
>Severity: serious
>Priority: medium
>Category: mysql
>Class: sw-bug
>Release: mysql-4.0.12 (Source distribution)
>Server: /usr/bin/mysqladmin Ver 8.40 Distrib 4.0.12, for pc-linux-gnu on i686
Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 4.0.12-log
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/run/mysqld/mysqld.sock
Uptime: 2 min 35 sec
Threads: 1 Questions: 9 Slow queries: 0 Opens: 6 Flush tables: 1 Open tables: 0
Queries per second avg: 0.058
>C compiler: gcc (GCC) 3.2.3 20030316 (Debian prerelease)
>C++ compiler: c++ (GCC) 3.2.3 20030316 (Debian prerelease)
>Environment:
System: Linux app109 2.4.20 #2 Tue Feb 25 20:11:12 CET 2003 i686 unknown unknown
GNU/Linux
Architecture: i686
Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i386-linux/3.2.3/specs
Configured with: ../src/configure -v
--enable-languages=c,c++,java,f77,proto,pascal,objc,ada --prefix=/usr
--mandir=/usr/share/man --infodir=/usr/share/info
--with-gxx-include-dir=/usr/include/c++/3.2 --enable-shared --with-system-zlib
--enable-nls --without-included-gettext --enable-__cxa_atexit --enable-clocale=gnu
--enable-java-gc=boehm --enable-objc-gc i386-linux
Thread model: posix
gcc version 3.2.3 20030316 (Debian prerelease)
Compilation info: CC='gcc' CFLAGS='' CXX='c++' CXXFLAGS='' LDFLAGS='' ASFLAGS=''
LIBC:
lrwxrwxrwx 1 root root 13 2003-03-25 21:47 /lib/libc.so.6 ->
libc-2.3.1.so
-rwxr-xr-x 1 root root 1104040 2003-03-21 17:19 /lib/libc-2.3.1.so
-rw-r--r-- 1 root root 2338008 2003-03-21 17:19 /usr/lib/libc.a
-rw-r--r-- 1 root root 178 2003-03-21 17:19 /usr/lib/libc.so
-rw-r--r-- 1 root root 716080 2002-01-13 21:06
/usr/lib/libc-client.so.2001
Configure command: ./configure --prefix=/usr --exec-prefix=/usr
--libexecdir=/usr/sbin --datadir=/usr/share --sysconfdir=/etc/mysql
--localstatedir=/var/lib/mysql --includedir=/usr/include --infodir=/usr/share/info
--mandir=/usr/share/man --enable-shared --enable-static --enable-thread-safe-client
--enable-assembler --enable-local-infile --with-raid
--with-unix-socket-path=/var/run/mysqld/mysqld.sock --with-mysqld-user=mysql
--with-libwrap --with-client-ldflags=-lstdc++ --with-embedded-server --with-vio
--with-openssl --without-docs --without-bench --without-readline
--with-extra-charsets=all --with-berkeley-db --with-innodb
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
