On Wed, 2010-08-11 at 14:23 -0400, Shawn Green (MySQL) wrote: > On 8/9/2010 5:27 PM, Yves Goergen wrote: > > What's that supposed to mean? If there's no way to force the connection > > into SSL, it is entirely useless. Anyone on the wire could simply > > pretend that the server doesn't support SSL and so deny the encryption > > and the client wouldn't even care... > > If you don't want to require SSL on the local connections then don't > set the flag on the @localhost account. > > If you want the SSL required on the other connections, then set it on > the @'...' version of the account that the remote users login through.
Excuse me, but isn’t Yves exactly right here? None of the client-side options (I tried --ssl, --ssl-ca=…, --ssl-verify-server-cert, --ssl-key=…, --ssl-cipher=…) can currently be used to force an SSL connection to be used. And requiring SSL from the server side does nothing to stop man-in-the-middle attacks. (Suppose Bob the SQL server grants some privileges to Alice the user with SSL required. Now Alice can log in with her password over SSL and gets denied over non-SSL. Great. But now Mallory comes along and intercepts a connection from Alice intended for Bob. Even if Bob would have claimed that he requires SSL, nothing stops Mallory from claiming that she doesn’t require SSL. Because Alice cannot force the use of SSL from the client side, Alice will make a successful unencrypted connection to Mallory. Then Mallory can accept the connection, ignoring Alice’s authentication, and steal Alice’s data; or Mallory can make a separate SSL connection to Bob, forward Alice’s authentication over it, then take over and issue evil commands to Bob.) This same issue was reported back in 2004 and ignored: http://bugs.mysql.com/bug.php?id=3138 I think this is a serious security problem that demands more attention than dismissal as documented behavior. To solve it, there needs to be a way to force the use of SSL from the client side. Anders -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
