This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.
In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted “in flight”, this is known documented behaviour,
This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.
This issue affects MariaDB, and very likely Percona. as well and is related
The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.
The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
Therefore the vast majority of MySQL/MariaDB users:
a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and
b) are probably not aware of this limitation
The following links clearly illustrate the issue:
While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.