[Bug 1890611] [NEW] mysql-server does not take into account configured ssl parameters

Launchpad Bug Tracker Mon, 10 Aug 2020 17:07:22 -0700

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug by Seth Arnold (seth-arnold):


Ubuntu focal
mysql-server-8.0: 8.0.21-0ubuntu0.20.04.4

in /etc/mysql/mysql.cnf (target of /etc/alternatives/my.cnf symlink):
ssl-ca=/etc/ssl/lets_encrypt/domain.chained.crt
ssl-cert=/etc/ssl/domain/domain.crt
ssl-key=/etc/ssl/domain/domain_rsakey.pem.decrypted

Those settings are read by the server:
# mysqld --verbose --help|grep ^ssl
ssl                                                          TRUE
ssl-ca                                                       
/etc/ssl/lets_encrypt/domain.chained.crt
ssl-capath                                                   (No default value)
ssl-cert                                                     
/etc/ssl/domain/domain.crt
ssl-key                                                      
/etc/ssl/domain/domain_rsakey.pem.decrypted

Yet, they seems to have no effect:
# echo 'q' | sudo systemctl --no-pager --full status mysql
● mysql.service - MySQL Community Server
     Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: 
enabled)
     Active: active (running) since Thu 2020-08-06 15:56:12 CEST; 6min ago
    Process: 93478 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre 
(code=exited, status=0/SUCCESS)
   Main PID: 93503 (mysqld)
     Status: "Server is operational"
      Tasks: 41 (limit: 9280)
     Memory: 353.3M
     CGroup: /system.slice/mysql.service
             └─93503 /usr/sbin/mysqld
...
Aug 06 15:56:12 xxxxxxxxxxx mysqld[93503]: 2020-08-06T13:56:12.049846Z 0 
[Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.


I am aware that some default certificates/keys are always created at each 
server start:
# find /var/lib/mysql/ -name "*.pem"
/media/WD320-DB/var/lib/mysql/8.0/public_key.pem
/media/WD320-DB/var/lib/mysql/8.0/ca-key.pem
/media/WD320-DB/var/lib/mysql/8.0/server-key.pem
/media/WD320-DB/var/lib/mysql/8.0/ca.pem
/media/WD320-DB/var/lib/mysql/8.0/server-cert.pem
/media/WD320-DB/var/lib/mysql/8.0/client-cert.pem
/media/WD320-DB/var/lib/mysql/8.0/private_key.pem
/media/WD320-DB/var/lib/mysql/8.0/client-key.pem

However, warning that "ca.pem is self signed" when another CA is
configured seems to indicate that the latter is not used.

Also, testing the TLS connection with the mysql server across a network
leads to an error (no such issue with other services running on the same
host and using the same CA/wildcard certificate):

#openssl s_client -connect mysql.domain:3306 -msg -name 
$(hostname).$(dnsdomainname) -showcerts -state -status
CONNECTED(00000003)
SSL_connect:before SSL initialization
>>> ??? [length 0005]
    16 03 01 01 39
>>> TLS 1.3, Handshake [length 0139], ClientHello
    01 00 01 35 03 03 19 56 93 29 3b c6 43 6d d9 15
    79 99 9a aa 32 80 cc 6a df d8 03 23 ff 3d 8d 79
    08 9a 15 e4 f8 f2 20 74 54 f0 92 51 0f 27 d2 9d
    3d df fc bc 95 90 f1 0f 56 6b db 96 b2 4b 3b b4
    1b df be a3 cc 23 5a 00 3e 13 02 13 03 13 01 c0
    2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
    9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
    14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
    3c 00 35 00 2f 00 ff 01 00 00 ae 00 00 00 16 00
    14 00 00 11 6d 79 73 71 6c 2e 73 64 78 6c 69 76
    65 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00
    0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00
    00 00 05 00 05 01 00 00 00 00 00 16 00 00 00 17
    00 00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07
    08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01
    05 01 06 01 03 03 03 01 03 02 04 02 05 02 06 02
    00 2b 00 05 04 03 04 03 03 00 2d 00 02 01 01 00
    33 00 26 00 24 00 1d 00 20 a4 a0 76 bb a9 bc b3
    cc 33 82 8e 5a b8 45 ad 95 72 42 27 f9 c6 81 32
    33 3b 35 25 ec 75 9a 1f 6a
SSL_connect:SSLv3/TLS write client hello
<<< ??? [length 0005]
    5b 00 00 00 0a
SSL_connect:error in error
139858538362176:error:1408F10B:SSL routines:ssl3_get_record:wrong version 
number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

** Affects: mysql-8.0 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
mysql-server does not take into account configured ssl parameters
https://bugs.launchpad.net/bugs/1890611
You received this bug notification because you are a member of Ubuntu Bugs, 
which is subscribed to the bug report.

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1890611] [NEW] mysql-server does not take into account configured ssl parameters

Reply via email to