Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve SSL settings, reflect changes for BACKRONYM and Riddle vulnerabilities, enforce SSL encryption when mysql_ssl=1 is set #114

Merged
merged 4 commits into from Apr 17, 2017

Conversation

Projects
None yet
3 participants
@pali
Copy link
Contributor

commented Apr 2, 2017

This pull request improve SSL settings by:

  • Describing all SSL related attributes in POD documentation
  • Reflect changes between different versions of libmysqlclient.so and properly enforce SSL encryption
  • Fixed BACKRONYM and Riddle vulnerabilities
  • Enforce SSL encryption when mysql_ssl=1 is set
  • Add new connection attribute mysql_ssl_optional
  • Add new database handle attribute mysql_ssl_cipher

The important change is that DBD::mysql reject connection to MySQL server (also SSL enabled) if mysql_ssl=1 is set and libmysqlclient.so library cannot enforce SSL encryption (because is vulnerable to BACKRONYM or Riddle).

See also discussion at #110

@pali pali force-pushed the pali:ssl branch 2 times, most recently from ac5bed1 to ee27812 Apr 3, 2017

pali added some commits Apr 15, 2017

Enforce SSL encryption when mysql_ssl=1 is set
This reflect changes between different versions of libmysqlclient.so and
finally fix library usage to handle BACKRONYM and Riddle vulnerabilities.

Due to fixing vulnerabilities, it changes also behavior of mysql_ssl=1
attribute from opportunistic mode to enforced mode of SSL. Now DBD::mysql
with mysql_ssl=1 fails to connect to non-SSL server.
Add new connection attribute mysql_ssl_optional
When set, SSL encryption is not enforced and allow DBD::mysql to fallback
to plain text protocol if server does not support SSL. Older MySQL and
MariaDB client versions does not support enforced SSL mode due to BACKRONYM
and Riddle vulnerabilities.

@pali pali force-pushed the pali:ssl branch from 99cf6ff to a16814d Apr 15, 2017

@pali pali changed the title WIP: Improve SSL settings, reflect libmysqlclient.so changes for BACKRONYM and Riddle vulnerabilities Improve SSL settings, reflect changes for BACKRONYM and Riddle vulnerabilities, enforce SSL encryption when mysql_ssl=1 is set Apr 15, 2017

@pali pali referenced this pull request Apr 15, 2017

Closed

Handle SSL/TLS correctly #110

Add new database handle attribute mysql_ssl_cipher
It returns SSL encryption cipher or undef if SSL is not used. It can be
used by application to check if SSL was established or not.

@pali pali force-pushed the pali:ssl branch 3 times, most recently from fe37eab to d36a5a6 Apr 15, 2017

@mbeijen mbeijen merged commit 23e8012 into perl5-dbi:master Apr 17, 2017

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@pali pali deleted the pali:ssl branch Apr 17, 2017

@agx

This comment has been minimized.

Copy link

commented Aug 28, 2017

This should be reopened now that master got reverted back to 4.041

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.