Bug #79862 Provide mechanism for client to enforce TLS in pre-5.7 versions
Submitted: 6 Jan 2016 18:20
Reporter: Todd Farmer (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.5.1 OS:Any
Assigned to: CPU Architecture:Any

[6 Jan 2016 18:20] Todd Farmer
Description:
Before MySQL Server 5.7, the --ssl option enabled - rather than *required* - TLS connections.  As a result, unecrypted transport could result even when users specify --ssl, if the responding service indicates it does not support TLS.  This is changed in 5.7 so that --ssl requires TLS and connections fail rather than silently allow TLS to be negotiated away.

Users of 5.5 and 5.6 who require secure transport can configure accounts to do so using several options;

1.  Use REQUIRE X509 for specified accounts.
2.  Use sha256_password authentication plugin, without Server RSA public/private key configured.

Certain client configuration options, however, may also signal an intent to require TLS, and we should consider requiring TLS when any of the following configuration options are supplied:

--ssl-ca
--ssl-ca-path
--ssl-verify-server-cert

As these options exist to validate identity of the server to which a connection is being made, it is reasonable to assume that TLS is expected/required when explicit options are provided.

The most likely negative user impact will be users who have a client options file which contains --ssl* options used for some connections, but are currently silently ignored when connecting to other servers which are not configured for TLS support.  This change will cause connections to the servers not configured for TLS support to fail.

How to repeat:
Use --ssl-ca configuration to connect a 5.5 or 5.6 client to a MySQL Server which is not configured to support TLS.  Note that the connection succeeds.

Suggested fix:
See above.

An alternative may be to warn users of mysql client that TLS connections were not established, despite --ssl option being specified.
[6 Jan 2016 20:54] Honza Horak
From my PoV, the variant with requiring TLS when any of the configuration options above are supplied, seems like a good thing to do.
[13 Jan 2016 18:38] Todd Farmer
Rather than overload existing options with implicit new meaning, I think it would be better to implement a new option which allows users to explicitly require TLS.  We cannot solve the problem of users who expect --ssl to require TLS by overloading other options, but we can solve the problem where an user needs the ability to enforce TLS from the client side.
[21 Jul 2016 14:54] Ed Morley
The OP doesn't explicitly state this - but if I'm reading this issue correctly, it means that for mysql clients <5.7 what should be secure connections can be MITMed, TLS silently negotiated away and credentials leaked, with absolutely no way to prevent that in the client even when knowing about this issue, right? (if just using username/password rather than client key/cert)

If so, that seems pretty bad :-(
[14 Nov 2016 22:42] James Day
Ed,

This bug report was created as a venue for feedback to Todd's blog post at http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/ .

MySQL hasn't just sent plain text MySQL passwords over the wire when logging in. Instead a challenge/response approach has been used. Todd wrote a good summary of the history of this at http://mysqlblog.fivefarmers.com/2015/08/31/protecting-mysql-passwords-with-sha256_passwor... and recommended setting accounts to use the sha_256 password option that was introduced in 5.6 in February 2013.

Definitely don't use the mysql_old_passwords option that supports password handling of the type that was used before 4.1 was introduced in October 2004. While that uses a challenge/response approach it's not a very good one and in 5.7 we stopped compiling in support for it. That's part of our work to force the use of the more secure settings that we want people to use, but gradually so people have time to adapt their customs and systems, which can take significant work to update.

From 5.5.49 (2016-04-11) and 5.6.30 (3016-04-11) the 5.5 and 5.6 clients have a new option --ssl-mode and if --ssl-mode=REQUIRED is used the client requires SSL or will refuse to connect. Release notes for those are at:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-48.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-30.html

The 5.7 clients also work with older versions of the server.

In 5.7.8 an option to require clients to us a secure transport method was introduced, as described at http://mysqlblog.fivefarmers.com/2016/01/14/restricting-connections-to-secure-transport/ . With --require_secure_transport set the server will refuse to accept connections unless they are using sockets, shared memory or SSL/TLS. That's on top of the ability to require individual accounts to use only TLS.

You may also find http://mysqlblog.fivefarmers.com/2016/02/26/sys-schema-simplified-access-to-ssltls-details... and http://mysqlblog.fivefarmers.com/2015/08/05/identifying-which-connections-are-secure/ of interest.