Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve SSL settings, reflect changes for BACKRONYM and Riddle vulnerabilities, enforce SSL encryption when mysql_ssl=1 is set #114

Merged
merged 4 commits into from
Apr 17, 2017
Merged

Improve SSL settings, reflect changes for BACKRONYM and Riddle vulnerabilities, enforce SSL encryption when mysql_ssl=1 is set #114

merged 4 commits into from
Apr 17, 2017

Conversation

pali
Copy link
Member

@pali pali commented Apr 2, 2017
edited
Loading

This pull request improve SSL settings by:

  • Describing all SSL related attributes in POD documentation
  • Reflect changes between different versions of libmysqlclient.so and properly enforce SSL encryption
  • Fixed BACKRONYM and Riddle vulnerabilities
  • Enforce SSL encryption when mysql_ssl=1 is set
  • Add new connection attribute mysql_ssl_optional
  • Add new database handle attribute mysql_ssl_cipher

The important change is that DBD::mysql reject connection to MySQL server (also SSL enabled) if mysql_ssl=1 is set and libmysqlclient.so library cannot enforce SSL encryption (because is vulnerable to BACKRONYM or Riddle).

See also discussion at #110

@pali pali mentioned this pull request Apr 2, 2017
Merged
@pali pali force-pushed the ssl branch 2 times, most recently from ac5bed1 to ee27812 Compare April 5, 2017 16:40
@pali
Describe all SSL related attributes in POD documentation
95b7838
@pali
Enforce SSL encryption when mysql_ssl=1 is set
a681e2c 
This reflect changes between different versions of libmysqlclient.so and
finally fix library usage to handle BACKRONYM and Riddle vulnerabilities.

Due to fixing vulnerabilities, it changes also behavior of mysql_ssl=1
attribute from opportunistic mode to enforced mode of SSL. Now DBD::mysql
with mysql_ssl=1 fails to connect to non-SSL server.
@pali
Add new connection attribute mysql_ssl_optional
b6be72f 
When set, SSL encryption is not enforced and allow DBD::mysql to fallback
to plain text protocol if server does not support SSL. Older MySQL and
MariaDB client versions does not support enforced SSL mode due to BACKRONYM
and Riddle vulnerabilities.
@pali pali changed the title WIP: Improve SSL settings, reflect libmysqlclient.so changes for BACKRONYM and Riddle vulnerabilities Improve SSL settings, reflect changes for BACKRONYM and Riddle vulnerabilities, enforce SSL encryption when mysql_ssl=1 is set Apr 15, 2017
@pali pali mentioned this pull request Apr 15, 2017
Closed
@pali
Add new database handle attribute mysql_ssl_cipher
d36a5a6 
It returns SSL encryption cipher or undef if SSL is not used. It can be
used by application to check if SSL was established or not.
@pali pali force-pushed the ssl branch 3 times, most recently from fe37eab to d36a5a6 Compare April 15, 2017 23:38
@mbeijen mbeijen merged commit 23e8012 into perl5-dbi:master Apr 17, 2017
@pali pali deleted the ssl branch April 17, 2017 19:38
@pali pali mentioned this pull request May 31, 2017
Closed
@agx
Copy link

agx commented Aug 28, 2017

This should be reopened now that master got reverted back to 4.041

@Homqyy Homqyy mentioned this pull request May 18, 2019
Closed
@LuBroering LuBroering mentioned this pull request Oct 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pali @agx @mbeijen