–ssl option should enforce SSL

This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.

In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted “in flight”, this is known documented behaviour,

This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.

This issue affects MariaDB, and very likely Percona. as well and is related
to https://mariadb.atlassian.net/browse/MDEV-7937

The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.

The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
MariaDB.

Therefore the vast majority of MySQL/MariaDB users:

a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and

b) are probably not aware of this limitation

The following links clearly illustrate the issue:

https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html

While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.

发表评论

电子邮件地址不会被公开。 必填项已用*标注