Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Anders Kaseorg (anderskMIT.EDU)
Date: Tue Aug 17 2010 - 17:02:06 CDT
On Wed, 2010-08-11 at 14:23 -0400, Shawn Green (MySQL) wrote:
> On 8/9/2010 5:27 PM, Yves Goergen wrote:
> > What's that supposed to mean? If there's no way to force the connection
> > into SSL, it is entirely useless. Anyone on the wire could simply
> > pretend that the server doesn't support SSL and so deny the encryption
> > and the client wouldn't even care...
> If you don't want to require SSL on the local connections then don't
> set the flag on the localhost account.
> If you want the SSL required on the other connections, then set it on
> the '...' version of the account that the remote users login through.
Excuse me, but isn’t Yves exactly right here?
None of the client-side options (I tried --ssl, --ssl-ca=…,
--ssl-verify-server-cert, --ssl-key=…, --ssl-cipher=…) can currently be
used to force an SSL connection to be used. And requiring SSL from the
server side does nothing to stop man-in-the-middle attacks.
(Suppose Bob the SQL server grants some privileges to Alice the user
with SSL required. Now Alice can log in with her password over SSL and
gets denied over non-SSL. Great.
But now Mallory comes along and intercepts a connection from Alice
intended for Bob. Even if Bob would have claimed that he requires SSL,
nothing stops Mallory from claiming that she doesn’t require SSL.
Because Alice cannot force the use of SSL from the client side, Alice
will make a successful unencrypted connection to Mallory. Then Mallory
can accept the connection, ignoring Alice’s authentication, and steal
Alice’s data; or Mallory can make a separate SSL connection to Bob,
forward Alice’s authentication over it, then take over and issue evil
commands to Bob.)
This same issue was reported back in 2004 and ignored:
I think this is a serious security problem that demands more attention
than dismissal as documented behavior. To solve it, there needs to be a
way to force the use of SSL from the client side.
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql