Bug #38700 SSL Certificate Validation is Missing, Causing Security Vulnerability
Submitted: 10 Aug 2008 17:00 Modified: 17 Jun 2009 9:31
Reporter: Wes Henderson Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / NET Severity:S2 (Serious)
Version:5.x.x OS:Any
Assigned to: Vladislav Vaintroub
Tags: encryption, Security, SSL
Triage: D2 (Serious)

[10 Aug 2008 17:00] Wes Henderson
Description:
MySQL Connector/Net is missing the capability to validate the server's certificate when using encryption.  This makes it possible to conduct a man-in-the-middle attack against the connection, which defeats the security provided by SSL.

How to repeat:
Install untrusted certificates on the MySQL server.  They work just as well as trusted ones.

The issue is also easily seen in the source code.  In NativeDriver.cs, the StartSSL function relies on a validation function called "NoServerCheckValidation" which does what its name implies: no validation of any kind.  There is another function called "ServerCheckValidation" but it is commented out.

Suggested fix:
Connector/ODBC has the validation capability and it is possible to configure it with options such as sslverify and sslcapath.  Providing similar options in Connector/Net would be a good solution.
[11 Aug 2008 19:35] Tonci Grgin
Hi Wes and thanks for your report. I am aware of this problem but let me see if I can dig out more info.
[13 Aug 2008 11:27] Tonci Grgin
Wes, I must admit this is not my strong point, will consult others too. In the meantime I'll speculate. Each client has to have certificate stored locally. The problem is how to notify .NET of it's existence. AFAIK, .NET Framework, and at some level all of this functionality, relies on the X509Certificate2 class from the System.Security.X509Certificates2 namespace and you can retrieve certificates from the file system directly. To create an X509Certificate2 instance from a file, simply pass the file name to the constructor:

X509Certificate2 cert1 = new X509Certificate2("my_file_with_cert");

As far as change-logs go, SSL in c/NET is supported as of version 5.0.3 (12-31-2006). Further research shows that 5.0, 5.1 and 5.2 branches have the "encrypt" ("useSSL") connect string option enabled. However it is not available for mono (?) and compact framework projects for now:
NativeDriver.cs, ln: 245 +
#if !CF
if (connectionString.UseSSL && (serverCaps & ClientFlags.SSL) != 0)

You can check for an SSL enabled MySQL server with:

mysql> SHOW VARIABLES LIKE 'have_ssl';

If you see 'YES' there, then SSL is ready to go. If you see 'DISABLED', then SSL is still available but has not been configured with the appropriate certificate and key settings. Please see:

http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html
http://dev.mysql.com/doc/refman/5.0/en/ssl-options.html

Also, this is a useful reference: http://downloads.mysql.com/docs/connector-net-en.a4.pdf.

Also, add the certificate to the "Trusted Root Certification Authorities" management console and try again.

Making any sense?
[13 Aug 2008 16:53] Wes Henderson
Let me be more clear.  I have no problem creating an SSL connection.  It works fine for me.  However, I have discovered a technical error with how the connection gets created.  This problem creates a security risk.

An important feature of SSL is to have the client approve the server's certificate.  For example, if the server's certificate is bad (expired, fake, etc.) we do not want to approve the certificate.  However, in Connector/Net, the client will approve any certificate, including bad certificates.  There is no validation happening.

Do you understand my concern?
[13 Aug 2008 17:04] Tonci Grgin
Wes, yes I do... Additional text is for sake of completeness.

I have already discussed this problem with devs but I fear there will be none around in next few days to check more thoroughly on this. Please be patient and, as I said, we met this problem before.
[1 Sep 2008 16:31] Tonci Grgin
Hi Wes and sorry for the delay. Verified as described by looking into latest sources, ServerCheckValidation never occurs.
[1 Oct 2008 22:24] Wes Henderson
It has been 30 days since the last comment.  What is the schedule to fix this?
[2 Oct 2008 4:39] Tonci Grgin
Wes, there are no mid-term plans to fix this but I'll ping c/NET team again.
[12 Jun 2009 18:23] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/76218
[17 Jun 2009 9:31] Tony Bedford
An entry was added to the 6.0.4 changelog:

MySQL Connector/Net was missing the capability to validate the server's certificate when using encryption. This made it possible to conduct a man-in-the-middle attack against the connection, which defeated the security provided by SSL.