Redefining –ssl option

[UPDATE:  Please see related post regarding oCERT assessment 2015-003.]

MySQL clients have long had a –ssl option.  Casual users may think specifying this option will cause clients to secure connections using SSL.  That is not the case:

D:\mysql-5.6.13-winx64>bin\mysql -uroot -P3307 --ssl
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.13-log MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
bin\mysql  Ver 14.14 Distrib 5.6.13, for Win64 (x86_64)

Connection id:          2
Current database:
Current user:           root@localhost
SSL:                    Not in use
...

This behavior is clearly explained in the manual:

For the server, this option specifies that the server permits but does not require SSL connections.

For a client program, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to permit SSL connections, an unencrypted connection is used.

Of course, an account can be defined on the server side to require SSL connections (with the REQUIRE SSL option for GRANT syntax), but until MySQL Server 5.7.3, it’s not possible for a user to demand SSL be used for a given client connection.  When connecting to a server which isn’t configured to support SSL, a client will accept non-SSL connections even though a number of SSL-related configuration options are defined:

D:\mysql-5.6.13-winx64>bin\mysql -uroot -P3307 --ssl  --ssl-ca=D:\certs\ca-cert.pem 
 --ssl-verify-server-cert --ssl-key=D:\certs\client-key.pem --ssl-cert=D:\certs\client-cert.pem
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 5.6.13-log MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
bin\mysql  Ver 14.14 Distrib 5.6.13, for Win64 (x86_64)

Connection id:          10
Current database:
Current user:           root@localhost
SSL:                    Not in use
...

That’s problematic in a world that increasingly cares about securing client/server communication made over the network, and in MySQL Server 5.7.3, this is fixed by redefining the –ssl option to require SSL.  Here’s an example:

D:\mysql-5.7.4-m14-winx64>bin\mysql -uroot --ssl
ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support it

There is a corresponding change made in libmysql, adding a MYSQL_OPT_SSL_ENFORCE option for the mysql_options() method, allowing libmysql-based clients or drivers to implement the same behavior as in 5.7 clients. Note that this behavior was actually originally introduced in MySQL Server 5.7.3 DMR (not the just-released 5.7.4 DMR, though it’s also there). Because this is a behavioral change, it has not been back-ported to MySQL Server 5.6.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.