maria-developers team mailing list archive

Thread
Date

Re: MDEV-7937: Enforce SSL when --ssl client option is used

To: Vicențiu Ciorbaru <cvicentiu@xxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Mon, 18 May 2015 22:34:14 +0200
Cc: maria-developers <maria-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CACzaYTNKBVQVubTYcbwebiKO18V6TE109CF3KmyLcda1jmYbqg@mail.gmail.com>
User-agent: Mutt/1.5.23 (2014-03-12)

Hi, Vicențiu!

On May 17, Vicențiu Ciorbaru wrote:
> Hi Sergei!
> 
> I've done some work on this issue. I've read MySQL's implementation of this
> and have looked at our implementation. They have done a bit of refactoring,
> introducing an enforce_ssl flag, as well as changing the C interface a bit,
> to allow setting this flag programatically.

I didn't check what they did. Do you, perhaps, have links to MySQL
commits?

> There are two more things that I'm not sure of:
> 1. Specifying --ssl as a command line parameter to the mysql client is not
> enough to enforce ssl and the client's code in this case just ignores the
> option. We need to provide at least one of the additional ones like
> --ssl-key or --ssl-ca. My patch will not cause the client to report an
> error in this case. Is this acceptable behaviour or not?

Up to you. I agree that this behavior is confusing.

> 2. Do we want mysql's enforce_ssl feature?

With your patch we don't need it, do we?

=====================

A related thought.... Even if you enforce SSL, you still cannot be sure
that there is no MITM. You can be connected to an SSL proxy that
decrypts your data, modifies them, if needed, and then sends (over SSL)
to the server.

To know that you connect to the actual MariaDB server, you need to check
the certificate, the mere fact of SSL encryption is not enough. Right?

And if you check the SSL certificate, then there is no need to "enforce
SSL", because you won't connect if you won't see the correct certificate
anyway.

If I'm right it means that enforcing SSL isn't very useful. Those who
care about their connection security, they check certificates. Those who
don't do that - they get a false sense of security by "enforcing SSL".

Is that so?

If yes, it means the efforts should be not simpy to "enforce SSL", but
to have a good certificate verification check (I don't know if the
existing one is good enough) and to double-check that if
CLIENT_SSL_VERIFY_SERVER_CERT flag is used, then we never connect
without verifying the certificate (I think without SSL the verification
is simply skipped now).

Regards,
Sergei

References

MDEV-7937: Enforce SSL when --ssl client option is used
From: Vicențiu Ciorbaru, 2015-05-17