| Bug #38700 | SSL Certificate Validation is Missing, Causing Security Vulnerability | ||
|---|---|---|---|
| Submitted: | 10 Aug 2008 19:00 | Modified: | 17 Jun 11:31 |
| Reporter: | Wes Henderson | ||
| Status: | Closed | ||
| Category: | Connector/Net | Severity: | S2 (Serious) |
| Version: | 5.x.x | OS: | Any |
| Assigned to: | Vladislav Vaintroub | Target Version: | |
| Tags: | Security, encryption, SSL | ||
| Triage: | D2 (Serious) | ||
[10 Aug 2008 19:00]
Wes Henderson
[11 Aug 2008 21:35]
Tonci Grgin
Hi Wes and thanks for your report. I am aware of this problem but let me see if I can dig out more info.
[13 Aug 2008 13:27]
Tonci Grgin
Wes, I must admit this is not my strong point, will consult others too. In the meantime
I'll speculate. Each client has to have certificate stored locally. The problem is how to
notify .NET of it's existence. AFAIK, .NET Framework, and at some level all of this
functionality, relies on the X509Certificate2 class from the
System.Security.X509Certificates2 namespace and you can retrieve certificates from the
file system directly. To create an X509Certificate2 instance from a file, simply pass the
file name to the constructor:
X509Certificate2 cert1 = new X509Certificate2("my_file_with_cert");
As far as change-logs go, SSL in c/NET is supported as of version 5.0.3 (12-31-2006).
Further research shows that 5.0, 5.1 and 5.2 branches have the "encrypt" ("useSSL")
connect string option enabled. However it is not available for mono (?) and compact
framework projects for now:
NativeDriver.cs, ln: 245 +
#if !CF
if (connectionString.UseSSL && (serverCaps & ClientFlags.SSL) != 0)
You can check for an SSL enabled MySQL server with:
mysql> SHOW VARIABLES LIKE 'have_ssl';
If you see 'YES' there, then SSL is ready to go. If you see 'DISABLED', then SSL is still
available but has not been configured with the appropriate certificate and key settings.
Please see:
http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html
http://dev.mysql.com/doc/refman/5.0/en/ssl-options.html
Also, this is a useful reference:
http://downloads.mysql.com/docs/connector-net-en.a4.pdf.
Also, add the certificate to the "Trusted Root Certification Authorities" management
console and try again.
Making any sense?
[13 Aug 2008 18:53]
Wes Henderson
Let me be more clear. I have no problem creating an SSL connection. It works fine for me. However, I have discovered a technical error with how the connection gets created. This problem creates a security risk. An important feature of SSL is to have the client approve the server's certificate. For example, if the server's certificate is bad (expired, fake, etc.) we do not want to approve the certificate. However, in Connector/Net, the client will approve any certificate, including bad certificates. There is no validation happening. Do you understand my concern?
[13 Aug 2008 19:04]
Tonci Grgin
Wes, yes I do... Additional text is for sake of completeness. I have already discussed this problem with devs but I fear there will be none around in next few days to check more thoroughly on this. Please be patient and, as I said, we met this problem before.
[1 Sep 2008 18:31]
Tonci Grgin
Hi Wes and sorry for the delay. Verified as described by looking into latest sources, ServerCheckValidation never occurs.
[2 Oct 2008 0:24]
Wes Henderson
It has been 30 days since the last comment. What is the schedule to fix this?
[2 Oct 2008 6:39]
Tonci Grgin
Wes, there are no mid-term plans to fix this but I'll ping c/NET team again.
[12 Jun 20:23]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/76218
[17 Jun 11:31]
Tony Bedford
An entry was added to the 6.0.4 changelog: MySQL Connector/Net was missing the capability to validate the server's certificate when using encryption. This made it possible to conduct a man-in-the-middle attack against the connection, which defeated the security provided by SSL.
