-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MDEV-31855 validate ssl certificates using client password
if the client enabled --ssl-verify-server-cert, then the server certificate is verified as follows: * if --ssl-ca or --ssl-capath were specified, the cert must have a proper signature by the specified CA (or CA in the path) and the cert's hostname must match the server's hostname. If the cert isn't signed or a hostname is wrong - the connection is aborted. * if MARIADB_OPT_TLS_PEER_FP was used and the fingerprint matches, the connection is allowed, if it doesn't match - aborted. * If the connection uses unix socket or named pipes - it's allowed. (consistent with server's --require-secure-transport behavior) otherwise the cert is still in doubt, we don't know if we can trust it or there's an active MitM in progress. * If the user has provided no password or the server requested an authentication plugin that sends the password in cleartext - the connection is aborted. * Perform the authentication. If the server accepts the password, it'll send SHA2(scramble || password hash || cert fingerprint) with the OK packet. * Verify the SHA2 digest, if it matches - the connection is allowed, otherwise it's aborted.
- Loading branch information
Showing
13 changed files
with
196 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Submodule libmariadb
updated
from 75ab6f to fcef41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- main/ssl_autoverify.reject | ||
+++ main/ssl_autoverify.result | ||
@@ -18,9 +18,9 @@ | ||
yes | ||
# mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()" | ||
ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate | ||
-# mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()" | ||
+# mysql --protocol pipe -uroot --ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
-yes | ||
+no | ||
# mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
--loose-enable-named-pipe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
install soname 'auth_ed25519'; | ||
install plugin three_attempts soname 'dialog_examples'; | ||
create user native@'%' identified via mysql_native_password using password('foo'); | ||
create user ed@'%' identified via ed25519 using password('bar'); | ||
create user nohash@'%' identified via three_attempts using 'onetwothree'; | ||
create user multi@'%' identified via mysql_native_password using password('pw1') | ||
or ed25519 using password('pw2'); | ||
grant all privileges on test.* to native@'%'; | ||
grant all privileges on test.* to ed@'%'; | ||
grant all privileges on test.* to nohash@'%'; | ||
grant all privileges on test.* to multi@'%'; | ||
create function have_ssl() returns char(3) | ||
return (select if(variable_value > '','yes','no') as 'have_ssl' | ||
from information_schema.session_status | ||
where variable_name='ssl_cipher'); | ||
# mysql -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes | ||
# mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()" | ||
ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate | ||
# mysql --protocol socket -uroot --ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes | ||
# mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes | ||
# mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes | ||
# mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes | ||
# mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" | ||
ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate | ||
# mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes | ||
# mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" | ||
test.have_ssl() | ||
yes | ||
drop function have_ssl; | ||
drop user native@'%'; | ||
drop user ed@'%'; | ||
drop user nohash@'%'; | ||
drop user multi@'%'; | ||
uninstall plugin ed25519; | ||
uninstall plugin three_attempts; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
source include/platform.inc; | ||
source include/not_embedded.inc; | ||
if (!$AUTH_ED25519_SO) { | ||
skip No auth_ed25519 plugin; | ||
} | ||
if (!$DIALOG_EXAMPLES_SO) { | ||
skip No dialog_examples plugin; | ||
} | ||
|
||
install soname 'auth_ed25519'; | ||
install plugin three_attempts soname 'dialog_examples'; | ||
|
||
create user native@'%' identified via mysql_native_password using password('foo'); | ||
create user ed@'%' identified via ed25519 using password('bar'); | ||
create user nohash@'%' identified via three_attempts using 'onetwothree'; | ||
create user multi@'%' identified via mysql_native_password using password('pw1') | ||
or ed25519 using password('pw2'); | ||
grant all privileges on test.* to native@'%'; | ||
grant all privileges on test.* to ed@'%'; | ||
grant all privileges on test.* to nohash@'%'; | ||
grant all privileges on test.* to multi@'%'; | ||
|
||
create function have_ssl() returns char(3) | ||
return (select if(variable_value > '','yes','no') as 'have_ssl' | ||
from information_schema.session_status | ||
where variable_name='ssl_cipher'); | ||
|
||
# | ||
# root user, no password, so cannot validate cert. | ||
# | ||
--echo # mysql -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()" | ||
--exec $MYSQL --protocol tcp -uroot --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
--echo # mysql -uroot --ssl-verify-server-cert -e "select test.have_ssl()" | ||
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/ | ||
--error 1 | ||
--exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
# | ||
# unless using a secure transport, like unix_socket or named pipes | ||
# | ||
# note that SSL works over unix_socket, and it doesn't work over named pipes | ||
# but the connection is allowed either way, as the transport is secure | ||
# | ||
let proto=socket; | ||
if ($MTR_COMBINATION_WIN) { | ||
let proto=pipe; | ||
} | ||
--echo # mysql --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" | ||
--exec $MYSQL --protocol $proto -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
# | ||
# mysql_native_password with password works fine | ||
# | ||
--echo # mysql -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" | ||
--exec $MYSQL --protocol tcp -unative -pfoo --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
# | ||
# ed25519 with password works fine | ||
# | ||
--echo # mysql -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" | ||
--exec $MYSQL --protocol tcp -ued -pbar --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
# | ||
# three_attempts uses auth string as is, doesn't hash. | ||
# so it's not safe over untrusted connection and thus cannot validate cert | ||
# | ||
--echo # mysql -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" | ||
--exec $MYSQL --protocol tcp -unohash -ponetwothree --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
--echo # mysql -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" | ||
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/ | ||
--error 1 | ||
--exec $MYSQL --protocol tcp -unohash -ponetwothree --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
# | ||
# multi-auth case, both client and server must use | ||
# the same plugin for cert validation | ||
# | ||
--echo # mysql -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" | ||
--exec $MYSQL --protocol tcp -umulti -ppw1 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
--echo # mysql -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" | ||
--exec $MYSQL --protocol tcp -umulti -ppw2 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1 | ||
|
||
drop function have_ssl; | ||
drop user native@'%'; | ||
drop user ed@'%'; | ||
drop user nohash@'%'; | ||
drop user multi@'%'; | ||
uninstall plugin ed25519; | ||
uninstall plugin three_attempts; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters