Bug #31224 Support for SSL certificate revocation lists
Submitted: 27 Sep 2007 8:06 Modified: 27 Sep 2011 18:25
Reporter: Pauli Virtanen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S4 (Feature request)
Version:5.0.38, possibly newer OS:Any
Assigned to: Geir H√łydalsvik CPU Architecture:Any
Tags: Contribution, SSL
Triage: Needs Triage: D5 (Feature request)

[27 Sep 2007 8:06] Pauli Virtanen
Description:
As of 5.0.38 and 5.1, mysql offers some SSL support via the options

    ssl-ca, ssl-key, ssl-cert

However, no support for SSL certificate revocation lists is present. This makes use of SSL certificates for authentication a bit less reliable, because certificates once granted cannot be revoked. (Working around this limitation is possible by issuing a new certificates with a different subject, but this is not clean if the actual subject is still the same as the old one.) CRLs are what you get directly out from a CA without any extra work, so it would be sensible to support them.

How to repeat:
1. Create a CA for Mysql SSL authentication and configure Mysql to use it
2. Revoke a certificate from the CA
3. Notice that there is no place in my.cnf for the CRL, and CRLs are not mentioned in the documentation.

Suggested fix:
Add support and documentation for the use of x509 certificate revocation lists to Mysql.
[25 Oct 2007 9:05] Tony Whyman
Seconded. This is an obvious omission in MySQL SSL support and needs fixing before this feature can be fully utilised.
[4 Dec 2007 10:31] Valeriy Kravchuk
Thank you for a reasonable feature request.
[4 Apr 2008 9:48] Jonathan Barber
Online Certificate Status Protocol (OCSP) support would also be nice to have.
[2 Nov 2009 20:46] Phillip Moore
I have a patch against 5.1.40 that adds support for the use of the CRL file.  I've tested this manually, and it seems to work as expected, but I have not patched the mysql test suite at all (I can't get the unpatched test suite to work for me yet, against an unpatched 5.1.40).  Doing that will require generating some additional SSL keys/certs/etc, and while that's straight forward, it still remains to be done.

The biggest problem with this patch is that the CRL is read and the data added the the SSL certificate stash at start up time, which means that changes to the CRL file will not be automatic.  IOW, you can't just publish a new CRL file to your MySQL servers, and expect it to be re-read.  You must restart your database servers as well.

I will attach the patch shortly, but please consider it experimental.  I've done very little other than test the use of SSL authentication with and without the CRL file, to make sure it works as expected.  I don't beleive my patch affects anything other than the way SSL certificates are validated.

I'll attach the patch as a file....
[2 Nov 2009 20:46] Phillip Moore
OpenSSL CRL Support patch for 5.1.40

Attachment: mysql-5.1.40-ssl-crl-support-20091102.patch (application/octet-stream, text), 46.09 KiB.

[3 Nov 2009 19:32] Liz Drachnik
Request to Phillip Moore - 

In order for us to continue the process of reviewing your contribution
to MySQL - We need
you to review and sign the Sun|MySQL contributor agreement (the "SCA")

The process is explained here: 
http://forge.mysql.com/wiki/Sun_Contributor_Agreement

Getting a signed/approved SCA on file will help us facilitate your
contribution-- this
one, and others in the future.
[27 Oct 2010 6:47] Dmitriy Kulikov
I completely support the request of the author of this bugreport. Function of a revoking of certificates is very important and necessary tool of support of safety MySQL. Without it arise serious vulnerability in safety.
[27 Oct 2010 15:00] Phillip Moore
Due to the lack of interest shown in my previous patch, I stopped working on this particular issue.   We are also in the process of dropping support for MySQL and migrating to PostgreSQL instead, for a long list of reasons, so we will not be completing this effort.   The reasons are cultural and political, more than technical, and everyone reading this knows what I'm talking about.

The patch I provided works, but because of how MySQL interacts with SSL, the CRL is only read at startup time.  Changes to the CRL are not seen by the mysql process unless restarted, and I consider that a serious shortcoming.   It will require much more significant, but still relatively straight forward, changes to make recognition of changes in the CRL dynamic.

If someone else would like to continue this effort to improve how MySQL uses SSL, I am more than happy to discuss it, but I will not be putting any further effort into it myself, since it's no longer of strategic interest to us.
[14 Jun 2011 10:29] Georgi Kodinov
One workaround for this would be to put the CRL files (in a format recognized by OpenSSL)  into the directory pointed out by the --ssl-capatch parameter.
This would ensure that the OpenSSL will read  them into the SSL context just fine.
As the contributor points out there's currently no way to refresh the CRLs (or any other SSL related material in file) in a running server without re-creating the SSL context.
[27 Sep 2011 18:25] Paul Dubois
Noted in 5.6.3 changelog.

MySQL distributions compiled against OpenSSL (but not yaSSL) now
support certificate revocation lists for SSL connections:

The MySQL server and MySQL client programs that support SSL recognize
--ssl-crl and --ssl-crlpath options for specifying a revocation list
file or directory containing such files.

The ssl_crl and ssl_crlpath system variables indicate the values of
the --ssl-crl and --ssl-crlpath options with which the server was
started. 

The CHANGE MASTER TO statement has MASTER_SSL_CRL and
MASTER_SSL_CRLPATH options for specifying revocation list information
to use when the slave connects to the master. The
mysql.slave_master_info file has two more rows to store the values of
these options. The SHOW SLAVE STATUS statement has has two more
columns to display the values of these options.

The mysql_options() C API function has MYSQL_OPT_SSL_CRL and
MYSQL_OPT_SSL_CRLPATH options for specifying revocation list
information to use when the client connects to the master. In
addition, mysql_options() now also supports MYSQL_OPT_SSL_CA,
MYSQL_OPT_SSL_CAPATH, MYSQL_OPT_SSL_CERT, MYSQL_OPT_SSL_CIPHER, and
MYSQL_OPT_SSL_KEY options for specifying other SSL parameters.
[13 Dec 2018 12:52] Shane Bester
.oO Options that aren't dynamically settable....

Here's the FR for that:

https://bugs.mysql.com/bug.php?id=75404
(Reload certificate and crl without restart)