--ssl option should enforce SSL
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
MySQL Server |
Unknown
|
Unknown
|
||||
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.5 |
Triaged
|
High
|
Unassigned | |||
5.6 |
Triaged
|
High
|
Unassigned | |||
5.7 |
Fix Released
|
High
|
Unassigned |
Bug Description
This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.
In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted "in flight", this is known documented behaviour,
This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.
---
This issue affects MariaDB, and very likely Percona. as well and is related
to https:/
The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.
The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
MariaDB.
Therefore the vast majority of MySQL/MariaDB users:
a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and
b) are probably not aware of this limitation
The following links clearly illustrate the issue:
https:/
http://
http://
While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.
---
CVE References
description: | updated |
information type: | Public Security → Private Security |
tags: | added: upstream |
This issue can be set to public security post notification from oCERT on April 29th 15:00 CET