Details
-
New Feature
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
Description
If the user provides a client option like --ssl-ca by specifying a file that does not exist or that can't be read, then the client does not check for the existence of the files before it tries to use the file to connect.
The current behavior has caused issues for some SkySQL users who have forgotten to download the skysql_chain.pem file. It is not intuitive for the client to try to connect if an important TLS-related file is missing. When implementing security features, the industry standard for design is to fail safe. Security features may be mandatory for compliance reasons, and the fault of a security control may silently increase risk.
For example, let's say that a user executes this:
$ mariadb --user=myuser --password --host=127.0.0.1 --ssl --ssl-ca=/file/does/not/exist.pem --execute="SHOW SESSION STATUS LIKE 'Ssl_cipher'"
|
Enter password:
|
ERROR 2026 (HY000): SSL connection error: No such file or directory
|
Notice a few things about this:
- A non-existent CA file was specified to the client.
- The client still asked the user for a password.
- The client didn't notice that the CA file did not exist.
- Instead, the underlying TLS library noticed that the CA file did not exist when it tried to connect to the server.
We can confirm that a connection attempt is made by using strace. e.g.:
$ strace -oclient_strace.txt mariadb --user=myuser --password --host=127.0.0.1 --ssl --ssl-ca=/file/does/not/exist.pem --execute="SHOW SESSION STATUS LIKE 'Ssl_cipher'"
|
The strace output shows the connection attempt:
connect(4, {sa_family=AF_INET, sin_port=htons(3306), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EINPROGRESS (Operation now in progress)
|
poll([{fd=4, events=POLLOUT}], 1, -1) = 1 ([{fd=4, revents=POLLOUT}])
|
getsockopt(4, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
|
fcntl(4, F_SETFL, O_RDONLY) = 0
|
setsockopt(4, SOL_IP, IP_TOS, [8], 4) = 0
|
setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0
|
setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
|
recvfrom(4, "i\0\0\0\n5.5.5-10.5.4-2-MariaDB-ente"..., 16384, MSG_DONTWAIT, NULL, NULL) = 109
|
sendto(4, " \0\0\1\204\252\237\0\0\0\0\1!\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 36, MSG_DONTWAIT|MSG_NOSIGNAL, NULL, 0) = 36
|
futex(0x7f10ed81301c, FUTEX_WAKE_PRIVATE, 2147483647) = 0
|
futex(0x7f10ed812e48, FUTEX_WAKE_PRIVATE, 2147483647) = 0
|
openat(AT_FDCWD, "/etc/crypto-policies/back-ends/openssl.config", O_RDONLY) = 5
|
fstat(5, {st_mode=S_IFREG|0644, st_size=142, ...}) = 0
|
read(5, "@SECLEVEL=2:kEECDH:kRSA:kEDH:kPS"..., 4096) = 142
|
read(5, "", 4096) = 0
|
close(5) = 0
|
futex(0x7f10ed57e9a0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
|
getrandom("\x2d\x77\x26\x00\xc7\x78\x18\x67\x92\x52\xfe\xf1\x6d\x3b\xec\x48", 16, 0) = 16
|
futex(0x7f10ed57e924, FUTEX_WAKE_PRIVATE, 2147483647) = 0
|
getrandom("\x8a\xe8\x45\xd6\x43\xab\x91\x4b\xf1\x98\x1e\x20\x93\xc8\x42\x69", 16, 0) = 16
|
getrandom("\x5c\xba\x4e\xb8\x20\x81\x0b\x82\xa8\x05\xb1\xb2\xad\xeb\x64\xd4", 16, 0) = 16
|
getpid() = 55771
|
futex(0x7f10ed57e900, FUTEX_WAKE_PRIVATE, 2147483647) = 0
|
openat(AT_FDCWD, "/file/does/not/exist.pem", O_RDONLY) = -1 ENOENT (No such file or directory)
|
close(4) = 0
|
write(2, "ERROR", 5) = 5
|
write(2, " 2026 (HY000)", 13) = 13
|
write(2, ": SSL connection error: No such "..., 50) = 50
|
In my opinion, the client should check for the existence of TLS-related files before the connection attempt is made, and if any files are missing, then it should exit with an error without attempting to connect.
Attachments
Issue Links
- relates to
-
MDEV-28634 Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible
-
- Closed
-