Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31855

validate ssl certificates using client password

    XMLWordPrintable

Details

    Description

      This needs a change in the client auth plugin API

      • client authentication plugins to get a new method hash_password(), the same as in the server plugin

      The new authentication will work like this

      Client side, when sending client reply packet:

      • If SSL is used, and --ssl-verify-server-cert is in force, but
      • no --ssl-ca or --ssl-fingerprint is in force, and
      • the certificate failed validation as self-signed, and
      • client authentication plugin doesn't have hash_password() method, and
      • the non-empty password was provided, then
      • disconnect, otherwise
      • continue (let's call it late certificate validation mode)

      Server side, when sending the OK packet after successful authentication:

      • if SSL is used, and
      • the certificate is ephemeral (after MDEV-31856), and
      • the account has non-empty password, then
      • calculate SHA2(user's hashed password, scramble, certificate fingerprint), and
      • put it in the OK's info field, prefixed by byte 0x01

      Client side, when receiving OK packet:

      • if in the late certificate validation mode, then
      • use hash_password() callback, calculate SHA2(user's hashed password, scramble, certificate fingerprint), compare

      Notes

      • client plugin versions and the API version have to be incremented
      • the server doesn't know if the client is in the late password validation mode, so it might do some unnecessary work just in case
        • this could be fixed by a new capability bit, or
        • just live with potential unnecessary work on connect — it is assumed that in overwhelming majority of the cases this work will be necessary (almost all setups will use this mode)

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.