Bug #75652 feature: SSL mandatory flag
Submitted: 27 Jan 2015 12:56 Modified: 27 Jan 2015 15:27
Reporter: Bjoern Boschman (OCA) Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: CPU Architecture:Any
Tags: force, mandatory, SSL

[27 Jan 2015 12:56] Bjoern Boschman
Description:
mysql client and I guess programs linked against libs currently not have any option to require a secure connection.

afaik the only way is to connect and run `SHOW STATUS LIKE 'Ssl_cipher';`
in this phase the plaintext authentication already took place (when SSL could not be established.

How to repeat:
mysql --ssl-ca /some/ca.pem -h localhost
in case of unsuccessful SSL connection, the connection is done via plaintext

Suggested fix:
it would be good to have a cmdline switch (e.g. --ssl-force, --ssl-mandatory or --ssl-required) that will fail as long as there is no successful SSL handshake
[27 Jan 2015 15:08] Todd Farmer
Hi Bjoern,

Good news!  This is already implemented in 5.7:

D:\mysql-5.6.24-win32>bin\mysql -uroot -P3310 --ssl
Welcome to the MySQL monitor.  Commands end with ; or \g.
...
mysql> \s
--------------
bin\mysql  Ver 14.14 Distrib 5.6.24, for Win32 (AMD64)

Connection id:          1
Current database:
Current user:           root@localhost
SSL:                    Not in use

mysql> exit
Bye

D:\mysql-5.6.24-win32>cd \mysql-5.7.5-m15-winx64

D:\mysql-5.7.5-m15-winx64>bin\mysql -uroot -P3310 --ssl
ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't
 support it

The --ssl client option has been redefined to mean SSL/TLS is required.  This Because this changes definitions of existing options, backporting to GA versions isn't practical.

http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html#option_general_ssl
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
[27 Jan 2015 15:27] Bjoern Boschman
thank you very much!!