--ssl option should enforce SSL

Bug #1447527 reported by David Busby on 2015-04-23
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server
Status tracked in 5.7
5.5
High
Unassigned
5.6
High
Unassigned
5.7
High
Unassigned

Bug Description

This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.

In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted "in flight", this is known documented behaviour,

This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.

---

This issue affects MariaDB, and very likely Percona. as well and is related
to https://mariadb.atlassian.net/browse/MDEV-7937

The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.

The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
MariaDB.

Therefore the vast majority of MySQL/MariaDB users:

a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and

b) are probably not aware of this limitation

The following links clearly illustrate the issue:

https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html

While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.
---

CVE References

David Busby (d-busby) on 2015-04-23
description: updated
information type: Public Security → Private Security
David Busby (d-busby) wrote :

This issue can be set to public security post notification from oCERT on April 29th 15:00 CET

tags: added: upstream
David Busby (d-busby) wrote :

oCert advisory has been released http://www.ocert.org/advisories/ocert-2015-003.html changed this issue to public security

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.