Bug #31224 | Support for SSL certificate revocation lists | ||
---|---|---|---|
Submitted: | 27 Sep 2007 8:06 | Modified: | 27 Sep 2011 18:25 |
Reporter: | Pauli Virtanen | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: General | Severity: | S4 (Feature request) |
Version: | 5.0.38, possibly newer | OS: | Any |
Assigned to: | Geir Høydalsvik | CPU Architecture: | Any |
Tags: | Contribution, SSL |
[27 Sep 2007 8:06]
Pauli Virtanen
[25 Oct 2007 9:05]
Tony Whyman
Seconded. This is an obvious omission in MySQL SSL support and needs fixing before this feature can be fully utilised.
[4 Dec 2007 10:31]
Valeriy Kravchuk
Thank you for a reasonable feature request.
[4 Apr 2008 9:48]
Jonathan Barber
Online Certificate Status Protocol (OCSP) support would also be nice to have.
[2 Nov 2009 20:46]
Phillip Moore
I have a patch against 5.1.40 that adds support for the use of the CRL file. I've tested this manually, and it seems to work as expected, but I have not patched the mysql test suite at all (I can't get the unpatched test suite to work for me yet, against an unpatched 5.1.40). Doing that will require generating some additional SSL keys/certs/etc, and while that's straight forward, it still remains to be done. The biggest problem with this patch is that the CRL is read and the data added the the SSL certificate stash at start up time, which means that changes to the CRL file will not be automatic. IOW, you can't just publish a new CRL file to your MySQL servers, and expect it to be re-read. You must restart your database servers as well. I will attach the patch shortly, but please consider it experimental. I've done very little other than test the use of SSL authentication with and without the CRL file, to make sure it works as expected. I don't beleive my patch affects anything other than the way SSL certificates are validated. I'll attach the patch as a file....
[2 Nov 2009 20:46]
Phillip Moore
OpenSSL CRL Support patch for 5.1.40
Attachment: mysql-5.1.40-ssl-crl-support-20091102.patch (application/octet-stream, text), 46.09 KiB.
[3 Nov 2009 19:32]
Liz Drachnik
Request to Phillip Moore - In order for us to continue the process of reviewing your contribution to MySQL - We need you to review and sign the Sun|MySQL contributor agreement (the "SCA") The process is explained here: http://forge.mysql.com/wiki/Sun_Contributor_Agreement Getting a signed/approved SCA on file will help us facilitate your contribution-- this one, and others in the future.
[27 Oct 2010 6:47]
Dmitriy Kulikov
I completely support the request of the author of this bugreport. Function of a revoking of certificates is very important and necessary tool of support of safety MySQL. Without it arise serious vulnerability in safety.
[27 Oct 2010 15:00]
Phillip Moore
Due to the lack of interest shown in my previous patch, I stopped working on this particular issue. We are also in the process of dropping support for MySQL and migrating to PostgreSQL instead, for a long list of reasons, so we will not be completing this effort. The reasons are cultural and political, more than technical, and everyone reading this knows what I'm talking about. The patch I provided works, but because of how MySQL interacts with SSL, the CRL is only read at startup time. Changes to the CRL are not seen by the mysql process unless restarted, and I consider that a serious shortcoming. It will require much more significant, but still relatively straight forward, changes to make recognition of changes in the CRL dynamic. If someone else would like to continue this effort to improve how MySQL uses SSL, I am more than happy to discuss it, but I will not be putting any further effort into it myself, since it's no longer of strategic interest to us.
[14 Jun 2011 10:29]
Georgi Kodinov
One workaround for this would be to put the CRL files (in a format recognized by OpenSSL) into the directory pointed out by the --ssl-capatch parameter. This would ensure that the OpenSSL will read them into the SSL context just fine. As the contributor points out there's currently no way to refresh the CRLs (or any other SSL related material in file) in a running server without re-creating the SSL context.
[27 Sep 2011 18:25]
Paul DuBois
Noted in 5.6.3 changelog. MySQL distributions compiled against OpenSSL (but not yaSSL) now support certificate revocation lists for SSL connections: The MySQL server and MySQL client programs that support SSL recognize --ssl-crl and --ssl-crlpath options for specifying a revocation list file or directory containing such files. The ssl_crl and ssl_crlpath system variables indicate the values of the --ssl-crl and --ssl-crlpath options with which the server was started. The CHANGE MASTER TO statement has MASTER_SSL_CRL and MASTER_SSL_CRLPATH options for specifying revocation list information to use when the slave connects to the master. The mysql.slave_master_info file has two more rows to store the values of these options. The SHOW SLAVE STATUS statement has has two more columns to display the values of these options. The mysql_options() C API function has MYSQL_OPT_SSL_CRL and MYSQL_OPT_SSL_CRLPATH options for specifying revocation list information to use when the client connects to the master. In addition, mysql_options() now also supports MYSQL_OPT_SSL_CA, MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CERT, MYSQL_OPT_SSL_CIPHER, and MYSQL_OPT_SSL_KEY options for specifying other SSL parameters.
[13 Dec 2018 12:52]
MySQL Verification Team
.oO Options that aren't dynamically settable.... Here's the FR for that: https://bugs.mysql.com/bug.php?id=75404 (Reload certificate and crl without restart)