Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-707

TLS: Proposal for changing peer certificate validation

    XMLWordPrintable

Details

    • Task
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.4.0
    • 3.4.3
    • TLS/SSL
    • None

    Description

      Verifying a peer certificate via fingerprint is considered to be safe, if

      • the hash function used is resistant to collisions and preimage attacks (>= SHA-256)
      • the fingerprint is stored in a safe place
      • the distribution of the trusted fingerprint was done securely, e.g., through a trusted channel or via a secure mechanism that prevents tampering.

      Especially in testing environments or when dealing with self signed certificates, fingerprint
      verification of peer certificates should be the more efficient and preferred verification method.

      Proposal to change the verification process:

      If a fingerprint or a list of fingerprints is specified, the peer certificate verification is successful if

      • the fingerprint of the peer certificate matches the specified fingerprint (or one of the fingerprints in the list)
      • the current time is between the "notBefore" and "notAfter" values of the peer certificate.
      • no further checks are performed

      If no fingerprint (or a list of fingerprints) was specified, verification will proceed as before.

      Required changes:

      Connector/C:

      • disable verification with weak hashes (MD5/SHA1)
      • move verification process to ma_tls_verify_server_cert (all TLS modules)
      • GNUTLS: remove verification callback during handshake (will be handled in ma_tls_verify_server_cert)

      Server:

      • Add fingerprint support for mtr (currently it's not possible to run mtr with --external)

      Attachments

        Activity

          People

            georg Georg Richter
            georg Georg Richter
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.