Bug #273 The x509 cert issuer seems not to be checked against the CA
Submitted: 11 Apr 2003 9:39 Modified: 16 Apr 2003 5:24
Reporter: Lenz Grimmer Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.0 OS:Linux (Linux)
Assigned to: Sergei Glukhov CPU Architecture:Any

[11 Apr 2003 9:39] Lenz Grimmer
Description:
I configured mysql to check for the subject and issuer of a clients 
cert. It seems that mysql can check the issuer of a cert but does not 
verify if the cert was really signed by a CA that is known to the 
server. I could generate a second client cert from the same key but 
another totally faked CA (but with the same strings) and it was 
accepted, too. 
"openssl verify" does discover such attacks! 
 

How to repeat:
Configure and test SSL. Now generate a second CA. Then sign one of 
the clients keys with the second CA which happens to have the same 
strings (i.e. O=,CN=,OU=) but of course has another secret key. 
 
Try the old and new client key, they work both! 
$ mysql -umy --ssl-key=my-key.pem  --ssl-cert=fakemy-cert.pem 
$ mysql -umy --ssl-key=my-key.pem  --ssl-cert=my-cert.pem 
 
My mysqld setup: 
[mysqld] 
ssl-ca=/etc/mysql/cacert.pem 
ssl-cert=/etc/mysql/server-cert.pem 
ssl-key=/etc/mysql/server-key.pem 
 
MySQL should behave like openssl: 
$ openssl verify -CAfile /etc/mysql/cacert.pem my-cert.pem 
my-cert.pem: OK 
$ openssl verify -CAfile /etc/mysql/cacert.pem fakemy-cert.pem 
fakemy-cert.pem: /C=DE/ST=NRW/L=Aachen/....=ch@debian.org 
error 7 at 0 depth lookup:certificate signature failure
[16 Apr 2003 5:24] Sergei Glukhov
Thank you for your bug report. This issue has been fixed in the latest
development tree for that product. You can find more information about
accessing our development trees at 
    http://www.mysql.com/doc/en/Installing_source_tree.html

This is the fix:

===== vio/viossl.c 1.17 vs edited =====
*** /tmp/viossl.c-1.17-4415	Tue Nov  5 12:05:55 2002
--- edited/vio/viossl.c	Wed Apr 16 16:54:04 2003
***************
*** 281,287 ****
    SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
    SSL_set_fd(vio->ssl_,vio->sd);
    SSL_set_accept_state(vio->ssl_);
!   if (SSL_do_handshake(vio->ssl_) < 1)
    {
      DBUG_PRINT("error", ("SSL_do_handshake failure"));
      report_errors();
--- 281,288 ----
    SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
    SSL_set_fd(vio->ssl_,vio->sd);
    SSL_set_accept_state(vio->ssl_);
!   if (SSL_do_handshake(vio->ssl_) < 1 ||
!       SSL_get_verify_result(vio->ssl_) != X509_V_OK)
    {
      DBUG_PRINT("error", ("SSL_do_handshake failure"));
      report_errors();
***************
*** 354,360 ****
    SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
    SSL_set_fd (vio->ssl_, vio->sd);
    SSL_set_connect_state(vio->ssl_);
!   if (SSL_do_handshake(vio->ssl_) < 1)
    {
      DBUG_PRINT("error", ("SSL_do_handshake failure"));
      report_errors();
--- 355,362 ----
    SSL_SESSION_set_timeout(SSL_get_session(vio->ssl_), timeout);
    SSL_set_fd (vio->ssl_, vio->sd);
    SSL_set_connect_state(vio->ssl_);
!   if (SSL_do_handshake(vio->ssl_) < 1 ||
!       SSL_get_verify_result(vio->ssl_) != X509_V_OK)
    {
      DBUG_PRINT("error", ("SSL_do_handshake failure"));
      report_errors();