[MDEV-31857] enable --ssl-verify-server-cert by default - Jira

Details

Type: New Feature
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 11.4.1
Component/s: SSL
Labels:
- Preview_11.3

Description

The summary says it all, let's get a secure-by-default connection by enabling --ssl-verify-server-cert by default.

Attachments

Issue Links

blocks

MDEV-28634 Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible

Closed

causes

MDEV-32473 MariaBackup requires disable-ssl-verify-server-cert

Closed

MDEV-33430 Command line client error ERROR 2026 (HY000): TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT)

Closed

MDEV-36500 Passwordless --ssl-verify-server-cert

Closed

ODBC-421 Certificate verification option should be on by default

Closed

is blocked by

MDEV-31856 use ephemeral ssl certificates

Closed

relates to

MDEV-33396 main.user_limits fails sporadically with CERT_E_UNTRUSTED_ROOT

Closed

MDEV-36663 Semi-sync Replica Can't Kill Dump Thread When Using SSL

Closed

(1 is blocked by, 2 relates to)

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik created issue - 2023-08-05 16:48

Sergei Golubchik made changes - 2023-08-05 16:48

Field	Original Value	New Value
Link		This issue is blocked by ~~MDEV-31856~~ [ ~~MDEV-31856~~ ]

Sergei Golubchik made changes - 2023-08-05 16:49

Link

This issue is blocked by ~~MDEV-31855~~ [ ~~MDEV-31855~~ ]

Sergei Golubchik made changes - 2023-08-05 16:49

Fix Version/s

11.3 [ 28565 ]

Sergei Golubchik made changes - 2023-08-05 16:50

Fix Version/s

11.3 [ 28565 ]

Sergei Golubchik made changes - 2023-08-06 09:42

Link

This issue blocks ~~MDEV-28634~~ [ ~~MDEV-28634~~ ]

Sergei Golubchik made changes - 2023-08-06 09:45

Link

This issue is blocked by ~~MDEV-31855~~ [ ~~MDEV-31855~~ ]

Julien Fritsch made changes - 2023-08-06 16:48

Priority

Major [ 3 ]

Critical [ 2 ]

Daniel Lenski (Inactive) added a comment - 2023-08-10 16:39

I wholeheartedly approve of this!

Note that my PR mariadb-connector-c #225 already accomplishes two important related tasks:

Preventing a long-known path for silent SSL→plaintext downgrade (that's ~~MDEV-28634~~)
Reduction of attack surface, in terms of eliminating other code paths that could allow such downgrades

Daniel Lenski (Inactive) added a comment - 2023-08-10 16:39 I wholeheartedly approve of this! Note that my PR mariadb-connector-c #225 already accomplishes two important related tasks: Preventing a long-known path for silent SSL→plaintext downgrade (that's MDEV-28634 ) Reduction of attack surface, in terms of eliminating other code paths that could allow such downgrades

Sergei Golubchik made changes - 2023-08-10 23:14

Assignee

Sergei Golubchik [ serg ]

Sergei Golubchik added a comment - 2023-08-21 22:09

Note that ~~MDEV-31856~~ is a precondition for --ssl-verify-server-cert. We can only enable it by default (preventing SSL→plaintext downgrade, as you correctly pointed out) if MariaDB servers will have SSL enabled by default, so that clients will continue to work even without SSL→plaintext downgrade.

Sergei Golubchik added a comment - 2023-08-21 22:09 Note that MDEV-31856 is a precondition for --ssl-verify-server-cert . We can only enable it by default (preventing SSL→plaintext downgrade, as you correctly pointed out) if MariaDB servers will have SSL enabled by default, so that clients will continue to work even without SSL→plaintext downgrade.

Sergei Golubchik made changes - 2023-08-30 13:48

Status

Open [ 1 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2023-08-30 13:48

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Sergei Golubchik made changes - 2023-08-30 21:46

Link

This issue includes ~~MDEV-28634~~ [ ~~MDEV-28634~~ ]

Sergei Golubchik made changes - 2023-08-30 21:46

Link

This issue blocks ~~MDEV-28634~~ [ ~~MDEV-28634~~ ]

Sergei Golubchik added a comment - 2023-09-06 14:03

the most time consuming part was to fix mtr tests, as they mostly use passwordless accounts and that makes server cert validation to fail

Sergei Golubchik added a comment - 2023-09-06 14:03 the most time consuming part was to fix mtr tests, as they mostly use passwordless accounts and that makes server cert validation to fail

Sergei Golubchik made changes - 2023-09-07 22:03

Comment

[ I'm thinking that cert validation can be auto-disabled for a case when
* the user has no password (but a password-using plugin, not unix_socket or gssapi)
* client presented no certificate to the server

this is an insecure case anyway, anyone can connect to the server, SSL or not, so verifying server's certificate makes minimal sense. And it might significantly improve the compatibility for users with accounts w/o a password. Supposedly their security expectations aren't high. ]

Sergei Golubchik made changes - 2023-09-08 14:26

Assignee	Sergei Golubchik [ serg ]	Oleksandr Byelkin [ sanja ]
Status	Stalled [ 10000 ]	In Review [ 10002 ]

Sergei Golubchik added a comment - 2023-09-08 14:30

see ~~MDEV-31855~~ for the list of commits

Sergei Golubchik added a comment - 2023-09-08 14:30 see MDEV-31855 for the list of commits

Oleksandr Byelkin added a comment - 2023-09-12 11:37

OK to push

Oleksandr Byelkin added a comment - 2023-09-12 11:37 OK to push

Oleksandr Byelkin made changes - 2023-09-12 11:37

Assignee	Oleksandr Byelkin [ sanja ]	Sergei Golubchik [ serg ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Sergei Golubchik made changes - 2023-09-12 19:53

Link

This issue is part of TODO-4253 [ TODO-4253 ]

Sergei Golubchik added a comment - 2023-09-15 20:06

To be more user-friendly in a typical passwordless test environment, mariadb cli, will disable --ssl-verify-server-cert if

--ssl-verify-server-cert was not enabled explicitly
CA was not specified
fingerprint was not specified
protocol is TCP
no password was provided

It'll also print a warning in this case

Sergei Golubchik added a comment - 2023-09-15 20:06 To be more user-friendly in a typical passwordless test environment, mariadb cli, will disable --ssl-verify-server-cert if --ssl-verify-server-cert was not enabled explicitly CA was not specified fingerprint was not specified protocol is TCP no password was provided It'll also print a warning in this case

Sergei Golubchik made changes - 2023-09-19 13:27

Status

Stalled [ 10000 ]

In Testing [ 10301 ]

Sergei Golubchik made changes - 2023-09-19 13:27

Assignee

Sergei Golubchik [ serg ]

Alice Sherepa [ alice ]

Sergei Golubchik made changes - 2023-09-19 13:29

Link

This issue blocks ~~MDEV-28634~~ [ ~~MDEV-28634~~ ]

Sergei Golubchik made changes - 2023-09-19 13:29

Link

This issue includes ~~MDEV-28634~~ [ ~~MDEV-28634~~ ]

Ralf Gebhardt made changes - 2023-09-21 11:56

Labels

Preview_11.3

Elena Stepanova made changes - 2023-10-13 17:50

Link

This issue causes ~~MDEV-32473~~ [ ~~MDEV-32473~~ ]

Sergei Golubchik made changes - 2023-10-18 14:01

Assignee

Alice Sherepa [ alice ]

Lena Startseva [ JIRAUSER50478 ]

Sergei Golubchik made changes - 2023-11-19 23:36

Fix Version/s		11.4 [ 29301 ]
Fix Version/s	11.3 [ 28565 ]

Julien Fritsch made changes - 2023-11-30 16:30

Issue Type

Task [ 3 ]

New Feature [ 2 ]

Lena Startseva added a comment - 2024-01-23 15:31

Testing done. Ok to push.

Lena Startseva added a comment - 2024-01-23 15:31 Testing done. Ok to push.

Lena Startseva made changes - 2024-01-23 15:31

Status

In Testing [ 10301 ]

Stalled [ 10000 ]

Lena Startseva made changes - 2024-01-23 15:31

Assignee

Lena Startseva [ JIRAUSER50478 ]

Sergei Golubchik [ serg ]

Sergei Golubchik made changes - 2024-02-05 10:16

Fix Version/s		11.4.1 [ 29523 ]
Fix Version/s	11.4 [ 29301 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Vladislav Vaintroub made changes - 2024-02-06 19:46

Link

This issue relates to ~~MDEV-33396~~ [ ~~MDEV-33396~~ ]

Inada Naoki added a comment - 2024-02-08 04:25

`mysql_init()` now set `use_ssl=1` by default . Is this intended?

https://github.com/MariaDB/server/commit/abcd23add20276e4996773f578e77d5733e1b582#diff-b7189447363b2b74ee642549c398c1adcee11e2c8f4e0fa529dfde9d8f9e32faR1442

It makes MariaDB close to MySQL behavior (ssl_mode=PREFERRED by default).
So it reduce confusion of users who don't know difference between libmariadb and libmysql.

But use_ssl by default makes difficult to prohibit plaintext downgrade.

Inada Naoki added a comment - 2024-02-08 04:25 `mysql_init()` now set `use_ssl=1` by default . Is this intended? https://github.com/MariaDB/server/commit/abcd23add20276e4996773f578e77d5733e1b582#diff-b7189447363b2b74ee642549c398c1adcee11e2c8f4e0fa529dfde9d8f9e32faR1442 It makes MariaDB close to MySQL behavior (ssl_mode=PREFERRED by default). So it reduce confusion of users who don't know difference between libmariadb and libmysql. But use_ssl by default makes difficult to prohibit plaintext downgrade.

Vladislav Vaintroub made changes - 2024-02-08 12:02

Link

This issue causes ~~MDEV-33430~~ [ ~~MDEV-33430~~ ]

Lawrin Novitsky made changes - 2024-05-28 23:18

Link

This issue causes ~~ODBC-421~~ [ ~~ODBC-421~~ ]

Orion Poplawski added a comment - 2024-09-27 13:47

Was it intended that this change the default behavior of clients using mariadb-connector-c to require an SSL connection? Because that is the case now. This was very confusing for me to see the zabbix DB socket connection start to fail with `[2026] TLS/SSL error: SSL is required, but the server does not support it` when I hadn't actually configured SSL in the zabbix server configuration.

https://github.com/mariadb-corporation/mariadb-connector-c/blame/3.4/plugins/auth/my_auth.c#L294

Orion Poplawski added a comment - 2024-09-27 13:47 Was it intended that this change the default behavior of clients using mariadb-connector-c to require an SSL connection? Because that is the case now. This was very confusing for me to see the zabbix DB socket connection start to fail with ` [2026] TLS/SSL error: SSL is required, but the server does not support it` when I hadn't actually configured SSL in the zabbix server configuration. https://github.com/mariadb-corporation/mariadb-connector-c/blame/3.4/plugins/auth/my_auth.c#L294

Sergei Golubchik added a comment - 2024-09-27 14:06

Yes, it was intended within the concept "secure by default" and it was added when the server started providing TLS automatically and without any configuration in ~~MDEV-31856~~.

Supposedly, one can configure the client to disable TLS, if needed. Like, for the command line client it's --disable-ssl.

Anyway, we've added an opt-out recently for cases when a client doesn't have an option to disable TLS: https://github.com/mariadb-corporation/mariadb-connector-c/commit/39f2e12f9a6640eb82f1974dcd0ab2bc296c1403

Sergei Golubchik added a comment - 2024-09-27 14:06 Yes, it was intended within the concept "secure by default" and it was added when the server started providing TLS automatically and without any configuration in MDEV-31856 . Supposedly, one can configure the client to disable TLS, if needed. Like, for the command line client it's --disable-ssl . Anyway, we've added an opt-out recently for cases when a client doesn't have an option to disable TLS: https://github.com/mariadb-corporation/mariadb-connector-c/commit/39f2e12f9a6640eb82f1974dcd0ab2bc296c1403

Jimmy Hú made changes - 2025-04-06 20:16

Link

This issue causes ~~MDEV-36500~~ [ ~~MDEV-36500~~ ]

Brandon Nesterenko made changes - 5 days ago

Link

This issue relates to ~~MDEV-36663~~ [ ~~MDEV-36663~~ ]

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2023-08-05 16:48

Updated:: 6 days ago 14:58

Resolved:: 2024-02-05 10:16

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration