Bug #25309 | SSL connections without CA certificate broken since MySQL 5.0.23 | ||
---|---|---|---|
Submitted: | 28 Dec 2006 13:02 | Modified: | 1 May 2007 14:14 |
Reporter: | Wouter de Jong | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Command-line Clients | Severity: | S3 (Non-critical) |
Version: | 5.0.23 | OS: | Linux (Linux / FreeBSD) |
Assigned to: | Magnus Blåudd | CPU Architecture: | Any |
Tags: | CA, self signed certificate, SSL |
[28 Dec 2006 13:02]
Wouter de Jong
[28 Dec 2006 13:17]
Wouter de Jong
It could even be as simple as this (theoretically) : case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: ok= 1 if (!mysql->options.ssl_verify_server_cert); break; however, this would mean more work ofcourse for the mysql->options stuff.
[28 Dec 2006 14:59]
Sveta Smirnova
Thank you for the report. Verified as described.
[3 Jan 2007 9:48]
Axel Schwenke
I was not able to reproduce this with 5.0.34bk. I can still connect without a valid CA cert on the client. Maybe this depends on the openssl version, not MySQL. I'm using openssl-0.9.7d-15 from SuSE Linux 9.1 (yes, this is pretty old).
[8 Jan 2007 20:50]
Wouter de Jong
Currently, I'm not able to try 5.0.xx BitKeeper versions at the moment, or are there snapshots available ? Could you try 5.0.23 (or .27) ? However, the reason I mentioned it is broken 'since' MySQL 5.0.23, is that when I replace a 5.0.23+ build with 5.0.22 or lower, it spontaneously works. So it really is something with MySQL. I've also tried this on both Linux and FreeBSD, with different openssl version's (all in 0.9.7 series though) It really came after the changes for --ssl-verify-server-cert where implemented (which is in MySQL 5.0.23) : Added the --ssl-verify-server-cert option to MySQL client programs. This option causes the server's Common Name value in its certificate to be verified against the hostname used when connecting to the server, and the connection is rejected if there is a mismatch. Added MYSQL_OPT_SSL_VERIFY_SERVER_CERT option for the mysql_options() C API function to enable this verification. This feature can be used to prevent man-in-the-middle attacks. Verification is disabled by default.
[17 Jan 2007 11:37]
Magnus Blåudd
MySQL is now using the yaSSL implemtation of SSL as default and that is why you see this change after 5.0.22
[17 Jan 2007 12:05]
Wouter de Jong
Allright, But why does it happen if i still link to OpenSSL ? :) And should it not also work with yaSSL ? :) I'll try 5.0.33 asap, however after some more tests I think the main problem lies on FreeBSD and not on Linux (any longer).
[26 Jan 2007 9:00]
Magnus Blåudd
Yes, it might work in a build of MySQL that has been compiled and linked with the OpenSSL libraries.
[28 Mar 2007 10:24]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/23130 ChangeSet@1.2457, 2007-03-28 12:23:55+02:00, msvensson@pilot.blaudden +3 -0 Bug#25309 SSL connections without CA certificate broken since MySQL 5.0.23 - Turn off verification of peer if both ca_path and ca_file is null i.e from only passing --ssl-key=<client_key> and --ssl-cert=<client_cert> to the mysql utility programs. The server will authenticate the client accoring to GRANT tables but the client won't authenticate the server
[6 Apr 2007 17:21]
Bugs System
Pushed into 5.0.40
[6 Apr 2007 17:24]
Bugs System
Pushed into 5.1.18-beta
[1 May 2007 14:14]
Paul DuBois
Noted in 5.0.40, 5.1.18 changelogs. If you use SSL for a client connection, you can tell the client not to authenticate the server certificate by specifying neither --ssl-ca nor --ssl-capath. The server still verifies the client according to any applicable requirements established via GRANT statements for the client, and it still uses any --ssl-ca/--ssl-capath values that were passed to server at startup time.