Bug #20899 | provide better error message if SSL client certificate authentication fails | ||
---|---|---|---|
Submitted: | 7 Jul 2006 11:38 | Modified: | 15 Aug 2006 10:02 |
Reporter: | Ralf Hauser | Email Updates: | |
Status: | Won't fix | Impact on me: | |
Category: | MySQL Server | Severity: | S4 (Feature request) |
Version: | 4.0.19 | OS: | Linux (Fedora) |
Assigned to: | CPU Architecture: | Any |
[7 Jul 2006 11:38]
Ralf Hauser
[7 Jul 2006 11:50]
Ralf Hauser
see also Bug #20900 for a possible reason - btw, is there a server-side (openssl) log where I might see the reason for each denied (similar to PAM's /var/log/secure) authentication
[7 Jul 2006 12:08]
Ralf Hauser
ok, found /var/log/mysqld.err , but the client side messages still should be improved
[7 Jul 2006 15:28]
Hartmut Holzgraefe
Giving detailed feedback to clients on authentication errors is a bad idea as it provides potential attackers with extra information. So we might consider telling whether SSL was used or not but i don't think we should expose any of the other requested information items to a client.
[7 Jul 2006 15:34]
Ralf Hauser
Agreed, don't send the info back what is required, but at least what you have found (quite some users plan to use one certificate/key pair but in the confusion around openssl mix it up and in fact use another one...) - this can save them a lot of time...
[8 Jul 2006 10:16]
Valeriy Kravchuk
What you are asking for sounds as a feature request for me. And I am not sure that this feature should be implemented, for the reasons Hartmut already presented.
[9 Jul 2006 8:47]
Ralf Hauser
As said, Hartmut is right not disclose anything that facilitates server config discovery. On the other hand, by simply doing nothing, you do a bad service to security because there will be other errors like bug #20900 I would have found a lot quicker if the error message had been more user-friendly. What is likely to happen is that people are getting unneccessarily frustrated with our openssl solution and end up not using client certificates for authentication altogether :(
[15 Aug 2006 10:02]
Ralf Hauser
see also Bug #21565 for server-side issues and Bug #19870 for the query browser broader issue