Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31855

validate ssl certificates using client password

Details

    Description

      This needs a change in the client auth plugin API

      • client authentication plugins to get a new method hash_password(), the same as in the server plugin

      The new authentication will work like this

      Client side, when sending client reply packet:

      • If SSL is used, and --ssl-verify-server-cert is in force, but
      • no --ssl-ca or --ssl-fingerprint is in force, and
      • the certificate failed validation as self-signed, and
      • client authentication plugin doesn't have hash_password() method, and
      • the non-empty password was provided, then
      • disconnect, otherwise
      • continue (let's call it late certificate validation mode)

      Server side, when sending the OK packet after successful authentication:

      • if SSL is used, and
      • the certificate is ephemeral (after MDEV-31856), and
      • the account has non-empty password, then
      • calculate SHA2(user's hashed password, scramble, certificate fingerprint), and
      • put it in the OK's info field, prefixed by byte 0x01

      Client side, when receiving OK packet:

      • if in the late certificate validation mode, then
      • use hash_password() callback, calculate SHA2(user's hashed password, scramble, certificate fingerprint), compare

      Notes

      • client plugin versions and the API version have to be incremented
      • the server doesn't know if the client is in the late password validation mode, so it might do some unnecessary work just in case
        • this could be fixed by a new capability bit, or
        • just live with potential unnecessary work on connect — it is assumed that in overwhelming majority of the cases this work will be necessary (almost all setups will use this mode)

      Attachments

        Issue Links

          blocks

          New Feature - A new feature of the product, which has yet to be developed. MDEV-31856 use ephemeral ssl certificates

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          causes

          Bug - A problem which impairs or prevents the functions of the product. MDEV-33639 AuthSwitchResponse info has changed since 11.4

          • Major - Major loss of function.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. CONJ-1105 TLS certificate validation without needs to provide certificate client side

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. CONJS-264 TLS ephemeral certificate automatic implementation

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-32210 Ephemeral certificate missing DN

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. MXS-4102 Support for passphrase protected certificate keys

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          New Feature - A new feature of the product, which has yet to be developed. MXS-4774 Add support for ephemeral server certificates

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. R2DBC-90 TLS ephemeral certificate automatic implementation

          • Major - Major loss of function.
          • Open

          Activity

            Ascending order - Click to sort in descending order
            dlenski Daniel Lenski (Inactive) added a comment -

            validate ssl certificates using client password

            What security properties of the client-server connection would actually be improved by doing this?

            It seems to me that this will greatly complicate the MariaDB client and server code. In my opinion, it is a bad design, because it further entrenches the entangling of two logically-separate concerns:

            1. Transport-layer: establishing an encrypted channel between the client and an authenticated server (TLS)
            2. Application-layer authentication and authorization

            Entangling these is an extremely bad design choice, that has already led to several security vulnerabilities and greatly complicates solving them in a clean and backwards-compatible way, including at least CONC-648, CONC-654, and MDEV-31585. I wrote at greatly length about this in a comment on CONC-648.

            So, I would say that it's important to step back and think about what the goal is here, in terms of improving the security properties of the system, and then think about how to achieve that in ways that reduce, rather than exacerbate, existing security vulnerabilities and design flaws.

            dlenski Daniel Lenski (Inactive) added a comment - validate ssl certificates using client password What security properties of the client-server connection would actually be improved by doing this? It seems to me that this will greatly complicate the MariaDB client and server code. In my opinion, it is a bad design, because it further entrenches the entangling of two logically-separate concerns: Transport -layer: establishing an encrypted channel between the client and an authenticated server (TLS) Application -layer authentication and authorization Entangling these is an extremely bad design choice, that has already led to several security vulnerabilities and greatly complicates solving them in a clean and backwards-compatible way, including at least CONC-648 , CONC-654 , and MDEV-31585 . I wrote at greatly length about this in a comment on CONC-648 . So, I would say that it's important to step back and think about what the goal is here, in terms of improving the security properties of the system, and then think about how to achieve that in ways that reduce, rather than exacerbate, existing security vulnerabilities and design flaws.
            serg Sergei Golubchik added a comment - - edited

            The goal is to prevent active MitM of course by validating SSL certificates.

            And no, the implementation (V1) of this is quite small and simple.

            serg Sergei Golubchik added a comment - - edited The goal is to prevent active MitM of course by validating SSL certificates. And no, the implementation (V1) of this is quite small and simple.
            dlenski Daniel Lenski (Inactive) added a comment -

            The goal is to prevent active MitM of course by validating SSL certificates.

            The title of this JIRA is “validate ssl certificates using client password”.

            How is validation of the server’s SSL certificate (that's a transport-layer concern) conceivably related to the client’s MariaDB user password (that's an application-layer concern)?

            dlenski Daniel Lenski (Inactive) added a comment - The goal is to prevent active MitM of course by validating SSL certificates. The title of this JIRA is “validate ssl certificates using client password ”. How is validation of the server’s SSL certificate (that's a transport -layer concern) conceivably related to the client’s MariaDB user password (that's an application -layer concern)?
            serg Sergei Golubchik added a comment - - edited

            in bb-11.3-serg branch, commits:

            2c293980590 MDEV-31857 enable --ssl-verify-server-cert by default in the internal client
            		 
            92d1e29f9eb MDEV-31855 validate ssl certificates using client password in the internal client
            		 
            dc725663522 disable SSL via named pipes in the internal client
            		 
            fecaa34d58a free mysql->connector_fd correctly in the internal client
            		 
            d61d5c2b2f5 change how self-signed certs are accepted by internal client
            		 
            4354452378d cleanup: X509_check_host() in the internal client
            		 
            a170006cce6 cleanup: ssl handling in the internal rpl client
            		 
            350cb3f311f MDEV-31857 enable --ssl-verify-server-cert by default
            		 
            0131af509a9 enable --ssl in the server by default
            		 
            b3fe66e7299 MDEV-31856 use ephemeral ssl certificates
            		 
            8d608f6811e wrong error for bare --ssl on the server side
            		 
            e651ca6497a cleanup
            		 
            1ccb8bc0d78 test SSL MitM attack
            		 
            a8895302211 client support for --tls-fp and --tls--fplist
            		 
            3d6d49641f3 MDEV-31855 validate ssl certificates using client password
            		 
            88b1c98c2d8 cleanup: unify client's setting of ssl options
            		 
            6f0d7df2cb4 test.cnf files should !include default_my.cnf
            		 
            8b573729ba6 clarify CR_OK_HANDSHAKE_COMPLETE

            serg Sergei Golubchik added a comment - - edited in bb-11.3-serg branch, commits: 2c293980590 MDEV-31857 enable --ssl-verify-server-cert by default in the internal client 92d1e29f9eb MDEV-31855 validate ssl certificates using client password in the internal client dc725663522 disable SSL via named pipes in the internal client fecaa34d58a free mysql->connector_fd correctly in the internal client d61d5c2b2f5 change how self-signed certs are accepted by internal client 4354452378d cleanup: X509_check_host() in the internal client a170006cce6 cleanup: ssl handling in the internal rpl client 350cb3f311f MDEV-31857 enable --ssl-verify-server-cert by default 0131af509a9 enable --ssl in the server by default b3fe66e7299 MDEV-31856 use ephemeral ssl certificates 8d608f6811e wrong error for bare --ssl on the server side e651ca6497a cleanup 1ccb8bc0d78 test SSL MitM attack a8895302211 client support for --tls-fp and --tls--fplist 3d6d49641f3 MDEV-31855 validate ssl certificates using client password 88b1c98c2d8 cleanup: unify client's setting of ssl options 6f0d7df2cb4 test.cnf files should !include default_my.cnf 8b573729ba6 clarify CR_OK_HANDSHAKE_COMPLETE
            sanja Oleksandr Byelkin added a comment -

            OK to push (after adding coments about format of the protocol extention (SSL info))

            sanja Oleksandr Byelkin added a comment - OK to push (after adding coments about format of the protocol extention (SSL info))
            dlenski Daniel Lenski (Inactive) added a comment - - edited

            sanja wrote:

            OK to push (after adding coments about format of the protocol extention (SSL info))

            Yikes.

            Do you understand that serg is essentially proposing a new TLS key exchange mechanism here?

            Have you solicited the help of experts in cryptographic protocol design who can evaluate the security of this mechanism?

            If I were to provide a step-by-step explanation of how this mechanism could be attacked and the client's password stolen undetectably, would you change you mind about "okay to push"?

            In a comment on MDEV-31856, serg wrote:

            yes, sure. the design document is in MDEV-31855. There's a full high-level description of the new protocol extension.
            I'd appreciate if you'd try to come up with attacks against it.

            Yes, I already have a detailed step-by-step attack against it.

            Using this attack, it is possible for a MITM to fool the client into thinking that it has connected to a server, when it has in fact connected to the MITM, and for the MITM to obtain the client's password.

            This attack is exacerbated by a (seemingly-unrelated) security flaw in MariaDB which has never been reported, to my knowledge. It is a very good illustration of why it is dangerous to mix authentication at different protocol layers, as I've been explaining over and over.

            Do you want me to explain it?

            dlenski Daniel Lenski (Inactive) added a comment - - edited sanja wrote: OK to push (after adding coments about format of the protocol extention (SSL info)) Yikes. Do you understand that serg is essentially proposing a new TLS key exchange mechanism here? Have you solicited the help of experts in cryptographic protocol design who can evaluate the security of this mechanism? If I were to provide a step-by-step explanation of how this mechanism could be attacked and the client's password stolen undetectably , would you change you mind about "okay to push"? In a comment on MDEV-31856 , serg wrote: yes, sure. the design document is in MDEV-31855 . There's a full high-level description of the new protocol extension. I'd appreciate if you'd try to come up with attacks against it. Yes, I already have a detailed step-by-step attack against it. Using this attack, it is possible for a MITM to fool the client into thinking that it has connected to a server, when it has in fact connected to the MITM, and for the MITM to obtain the client's password . This attack is exacerbated by a (seemingly-unrelated) security flaw in MariaDB which has never been reported, to my knowledge. It is a very good illustration of why it is dangerous to mix authentication at different protocol layers, as I've been explaining over and over. Do you want me to explain it?
            serg Sergei Golubchik added a comment -

            of course, if you were to provide a step-by-step explanation of how this mechanism could be attacked, we won't push this feature in this form.

            serg Sergei Golubchik added a comment - of course, if you were to provide a step-by-step explanation of how this mechanism could be attacked, we won't push this feature in this form.
            dlenski Daniel Lenski (Inactive) added a comment -

            I have already reported several practical TLS attacks against actual production MariaDB code which has existed for many years, e.g. CONC-648, CONC-654, CONC-656, MDEV-31585. I've proposed fixes for all of these; they remain mostly unfixed.

            I would describe all these bugs as "pretty obvious": I didn't set out to find TLS bugs in MariaDB, but once I started looking at the relevant code for other reasons, they started to jump out at me all over the place.

            I've also explained several times (e.g. comment on CONC-648 from 3 months ago how these vulnerabilities are largely a consequence of improper entanglement between different conceptually separate layers of networking protocols. This is not some very specialized knowledge: it's included in basically every guide to programming with TLS, and in many reports of previous real-world TLS vulnerabilities.

            What you have proposed here, serg, is yet another new entanglement between the application-layer authentication (e.g. MariaDB native password auth) and the transport-layer security mechanism (TLS), as I mentioned in a comment right above).

            of course, if you were to provide a step-by-step explanation of how this mechanism could be attacked, we won't push this feature in this form.

            I am less concerned about the particular vulnerability that you are going to introduce if you merge this code, than I am with what appears to be broken or missing processes in MariaDB development.

            It appears that there must be little or no review of the security implications of code changes like the one proposed here.

            dlenski Daniel Lenski (Inactive) added a comment - I have already reported several practical TLS attacks against actual production MariaDB code which has existed for many years , e.g. CONC-648 , CONC-654 , CONC-656 , MDEV-31585 . I've proposed fixes for all of these; they remain mostly unfixed. I would describe all these bugs as "pretty obvious": I didn't set out to find TLS bugs in MariaDB, but once I started looking at the relevant code for other reasons, they started to jump out at me all over the place. I've also explained several times (e.g. comment on CONC-648 from 3 months ago how these vulnerabilities are largely a consequence of improper entanglement between different conceptually separate layers of networking protocols . This is not some very specialized knowledge: it's included in basically every guide to programming with TLS, and in many reports of previous real-world TLS vulnerabilities. What you have proposed here, serg , is yet another new entanglement between the application-layer authentication (e.g. MariaDB native password auth) and the transport-layer security mechanism (TLS), as I mentioned in a comment right above ). of course, if you were to provide a step-by-step explanation of how this mechanism could be attacked, we won't push this feature in this form. I am less concerned about the particular vulnerability that you are going to introduce if you merge this code, than I am with what appears to be broken or missing processes in MariaDB development. It appears that there must be little or no review of the security implications of code changes like the one proposed here.
            serg Sergei Golubchik added a comment -

            Neither issue you mentioned above is a TLS attack, and 3 out of four are not even at "attack" as such.

            Thank you for confirming that you're less concerned about this particular protocol extension, supposedly it means that there is no step-by-step explanation of how this mechanism could be attacked.

            serg Sergei Golubchik added a comment - Neither issue you mentioned above is a TLS attack, and 3 out of four are not even at "attack" as such. Thank you for confirming that you're less concerned about this particular protocol extension, supposedly it means that there is no step-by-step explanation of how this mechanism could be attacked.
            lstartseva Lena Startseva added a comment - - edited

            serg, please, make a small changes in test main.ssl_autoverify in cases with "- - no-defaults" option - add option "--character-sets-dir" with value otherwise on some environments I get warnings in this cases:

            ../mariadb: Warning: Charset id '33' csname 'utf8' trying to replace existing csname 'utf8mb3'
            		 
            ../mariadb: Warning: Charset id '83' csname 'utf8' trying to replace existing csname 'utf8mb3'

            lstartseva Lena Startseva added a comment - - edited serg , please, make a small changes in test main.ssl_autoverify in cases with "- - no-defaults" option - add option "--character-sets-dir" with value otherwise on some environments I get warnings in this cases: ../mariadb: Warning: Charset id '33' csname 'utf8' trying to replace existing csname 'utf8mb3' ../mariadb: Warning: Charset id '83' csname 'utf8' trying to replace existing csname 'utf8mb3'
            serg Sergei Golubchik added a comment -

            Fixed, thanks

            serg Sergei Golubchik added a comment - Fixed, thanks
            lstartseva Lena Startseva added a comment -

            Testing done. Ok to push

            lstartseva Lena Startseva added a comment - Testing done. Ok to push

            People

              serg Sergei Golubchik
              serg Sergei Golubchik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.