[MariaDB developers] Re: f9c1546bd7d: MDEV-32123: require_secure_transport doesn't allow TCP connections

Sergei Golubchik via developers Thu, 28 Sep 2023 05:14:05 -0700

Hi, Dmitry,

On Sep 28, Dmitry Shulga wrote:
> revision-id: f9c1546bd7d (mariadb-11.2.1-6-gf9c1546bd7d)
> parent(s): c4cbafe0c4c
> author: Dmitry Shulga
> committer: Dmitry Shulga
> timestamp: 2023-09-28 16:20:36 +0700
> message:
> 
> MDEV-32123: require_secure_transport doesn't allow TCP connections
> 
> diff --git a/mysql-test/main/require_secure_transport.test 
> b/mysql-test/main/require_secure_transport.test
> index e238e732423..4ad18afb96d 100644
> --- a/mysql-test/main/require_secure_transport.test
> +++ b/mysql-test/main/require_secure_transport.test
> @@ -5,11 +5,16 @@ SET GLOBAL require_secure_transport=ON;
>  --error ER_SECURE_TRANSPORT_REQUIRED
>  connect without_ssl,localhost,root,,,,,TCP NOSSL;
>  --enable_query_log
> +
> +connect with_ssl,localhost,root,,,,,TCP SSL;


where's a check that a connection was established successfully and it
indeed uses SSL with require_secure_transport enabled?

also, you didn't add any tests for --require-secure-transport=1

> +disconnect with_ssl;
> +
>  connection default;
>  SET GLOBAL require_secure_transport=OFF;
>  --disable_query_log
>  connect without_ssl,localhost,root,,,,,TCP NOSSL;
>  --enable_query_log
>  disconnect without_ssl;
> +
>  connection default;
>  DROP TABLE t1;
> diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
> index 1f00a8670a6..3ce1c363c86 100644
> --- a/sql/sql_acl.cc
> +++ b/sql/sql_acl.cc
> @@ -14519,6 +14546,22 @@ bool acl_authenticate(THD *thd, uint 
> com_change_user_pkt_len)
>  
>    if (initialized) // if not --skip-grant-tables
>    {
> +    /*
> +      Check whether the option require_secure_transport is on and in case
> +      it is true that the secured connection type is used, that is either
> +      unix socket or named pipe or ssl is in use.
> +    */
> +    if(check_require_secured_transport(thd))
> +    {
> +      Host_errors errors;
> +      errors.m_ssl= 1;
> +      inc_host_errors(mpvio.auth_info.thd->security_ctx->ip, &errors);
> +      status_var_increment(thd->status_var.access_denied_errors);
> +      my_error(ER_SECURE_TRANSPORT_REQUIRED, MYF(0));
> +
> +      DBUG_RETURN(1);
> +    }

No, no. This is wrong. The point of "require_secure_transport" is to
make sure that *everything* is sent over the secure transport. In
particular, passwords must never be sent if the transport is not secure.
You cannot check for it after the authentication, you must abort the
connection is soon as possible.

(technically, the server can do nothing to prevent the client from
sending passwords in plain-text over the insecure connection. but
practically clients use mysql_native_password by default, so the
password won't leak)

Regards,
Sergei
Chief Architect, MariaDB Server
and secur...@mariadb.org
_______________________________________________
developers mailing list -- developers@lists.mariadb.org
To unsubscribe send an email to developers-le...@lists.mariadb.org

[MariaDB developers] Re: f9c1546bd7d: MDEV-32123: require_secure_transport doesn't allow TCP connections

Reply via email to