Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Demonstrate that client will improperly accept error packets prior to…
… TLS handshake
If the MariaDB client is running with `--ssl --ssl-verify-server-cert`, it SHOULD NOT
TRUST any application-level traffic prior to the completion of the TLS handshake,
and the validation of the server's TLS certificate.
1. Build this commit.
2. Start the server, e.g.
$ DIR=$(mktemp -d); mkdir -p $DIR/data; sql/mariadbd --no-defaults --datadir=$DIR/data --socket=$DIR/mysql.sock --skip-grant-tables --debug
…
2023-06-05 15:24:07 0 [Note] sql/mariadbd: ready for connections.
Version: '10.11.4-MariaDB-debug' socket: '/tmp/tmp.P4FvcEcKrH/mysql.sock' port: 3306 Source distribution
3. Attempt to connect to it with `--ssl --ssl-verify-server-cert`:
$ client/mariadb -h 127.0.0.1
ERROR 1815 (HY000): Internal error: Client will accept this error as genuine even if running with --ssl --ssl-verify-server-cert, and even though this error is sent in plaintext PRIOR TO TLS HANDSHAKE.
Running `tcpdump` in the background confirms that the client is improperly accepting
the error packet which is sent in plaintext and without a TLS handshake:
$ sudo tcpdump -n -X -i lo tcp port 3306
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
15:24:46.182853 IP 127.0.0.1.40234 > 127.0.0.1.3306: Flags [S], seq 1546762979, win 65495, options [mss 65495,sackOK,TS val 113496632 ecr 0,nop,wscale 7], length 0
0x0000: 4500 003c 2b03 4000 8006 d1b6 7f00 0001 E..<+.@.........
0x0010: 7f00 0001 9d2a 0cea 5c31 bae3 0000 0000 .....*..\1......
0x0020: a002 ffd7 fe30 0000 0204 ffd7 0402 080a .....0..........
0x0030: 06c3 d238 0000 0000 0103 0307 ...8........
15:24:46.182917 IP 127.0.0.1.3306 > 127.0.0.1.40234: Flags [S.], seq 3238764927, ack 1546762980, win 65483, options [mss 65495,sackOK,TS val 113496632 ecr 113496632,nop,wscale 7], length 0
0x0000: 4500 003c 0000 4000 8006 fcb9 7f00 0001 E..<..@.........
0x0010: 7f00 0001 0cea 9d2a c10b a17f 5c31 bae4 .......*....\1..
0x0020: a012 ffcb fe30 0000 0204 ffd7 0402 080a .....0..........
0x0030: 06c3 d238 06c3 d238 0103 0307 ...8...8....
15:24:46.182957 IP 127.0.0.1.40234 > 127.0.0.1.3306: Flags [.], ack 1, win 512, options [nop,nop,TS val 113496632 ecr 113496632], length 0
0x0000: 4500 0034 2b04 4000 8006 d1bd 7f00 0001 E..4+.@.........
0x0010: 7f00 0001 9d2a 0cea 5c31 bae4 c10b a180 .....*..\1......
0x0020: 8010 0200 fe28 0000 0101 080a 06c3 d238 .....(.........8
0x0030: 06c3 d238 ...8
15:24:46.185305 IP 127.0.0.1.3306 > 127.0.0.1.40234: Flags [P.], seq 1:189, ack 1, win 512, options [nop,nop,TS val 113496635 ecr 113496632], length 188
0x0000: 4508 00f0 622c 4000 8006 99d1 7f00 0001 E...b,@.........
0x0010: 7f00 0001 0cea 9d2a c10b a180 5c31 bae4 .......*....\1..
0x0020: 8018 0200 fee4 0000 0101 080a 06c3 d23b ...............;
0x0030: 06c3 d238 b800 0000 ff17 0749 6e74 6572 ...8.......Inter
0x0040: 6e61 6c20 6572 726f 723a 2043 6c69 656e nal.error:.Clien
0x0050: 7420 7769 6c6c 2061 6363 6570 7420 7468 t.will.accept.th
0x0060: 6973 2065 7272 6f72 2061 7320 6765 6e75 is.error.as.genu
0x0070: 696e 6520 6576 656e 2069 6620 7275 6e6e ine.even.if.runn
0x0080: 696e 6720 7769 7468 202d 2d73 736c 202d ing.with.--ssl.-
0x0090: 2d73 736c 2d76 6572 6966 792d 7365 7276 -ssl-verify-serv
0x00a0: 6572 2d63 6572 742c 2061 6e64 2065 7665 er-cert,.and.eve
0x00b0: 6e20 7468 6f75 6768 2074 6869 7320 6572 n.though.this.er
0x00c0: 726f 7220 6973 2073 656e 7420 696e 2070 ror.is.sent.in.p
0x00d0: 6c61 696e 7465 7874 2050 5249 4f52 2054 laintext.PRIOR.T
0x00e0: 4f20 544c 5320 4841 4e44 5348 414b 452e O.TLS.HANDSHAKE.
15:24:46.185343 IP 127.0.0.1.40234 > 127.0.0.1.3306: Flags [.], ack 189, win 511, options [nop,nop,TS val 113496635 ecr 113496635], length 0
0x0000: 4508 0034 2b05 4000 8006 d1b4 7f00 0001 E..4+.@.........
0x0010: 7f00 0001 9d2a 0cea 5c31 bae4 c10b a23c .....*..\1.....<
0x0020: 8010 01ff fe28 0000 0101 080a 06c3 d23b .....(.........;
0x0030: 06c3 d23b ...;
15:24:46.185432 IP 127.0.0.1.40234 > 127.0.0.1.3306: Flags [F.], seq 1, ack 189, win 512, options [nop,nop,TS val 113496635 ecr 113496635], length 0
0x0000: 4508 0034 2b06 4000 8006 d1b3 7f00 0001 E..4+.@.........
0x0010: 7f00 0001 9d2a 0cea 5c31 bae4 c10b a23c .....*..\1.....<
0x0020: 8011 0200 fe28 0000 0101 080a 06c3 d23b .....(.........;
0x0030: 06c3 d23b ...;
15:24:46.185569 IP 127.0.0.1.3306 > 127.0.0.1.40234: Flags [F.], seq 189, ack 2, win 512, options [nop,nop,TS val 113496635 ecr 113496635], length 0
0x0000: 4508 0034 622d 4000 8006 9a8c 7f00 0001 E..4b-@.........
0x0010: 7f00 0001 0cea 9d2a c10b a23c 5c31 bae5 .......*...<\1..
0x0020: 8011 0200 fe28 0000 0101 080a 06c3 d23b .....(.........;
0x0030: 06c3 d23b ...;- Loading branch information
