[MDEV-31857] enable --ssl-verify-server-cert by default - Jira

Details

Type: New Feature
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Fix Version/s: 11.4.1
Component/s: SSL
Labels:
- Preview_11.3

Description

The summary says it all, let's get a secure-by-default connection by enabling --ssl-verify-server-cert by default.

Attachments

Issue Links

blocks

MDEV-28634 Client's --ssl-* options (without --ssl-verify-server-cert) are silently ignored if TLS is not possible

Closed

causes

MDEV-32473 MariaBackup requires disable-ssl-verify-server-cert

Closed

MDEV-33430 Command line client error ERROR 2026 (HY000): TLS/SSL error: Server certificate validation failed. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Error 0x800B0109(CERT_E_UNTRUSTEDROOT)

Closed

MDEV-36500 Passwordless --ssl-verify-server-cert

Closed

ODBC-421 Certificate verification option should be on by default

Closed

is blocked by

MDEV-31856 use ephemeral ssl certificates

Closed

relates to

MDEV-33396 main.user_limits fails sporadically with CERT_E_UNTRUSTED_ROOT

Closed

MDEV-36663 Semi-sync Replica Can't Kill Dump Thread When Using SSL

Closed

(1 is blocked by, 2 relates to)

Activity

Ascending order - Click to sort in descending order

View 5 older comments

Sergei Golubchik added a comment - 2023-09-15 20:06

To be more user-friendly in a typical passwordless test environment, mariadb cli, will disable --ssl-verify-server-cert if

--ssl-verify-server-cert was not enabled explicitly
CA was not specified
fingerprint was not specified
protocol is TCP
no password was provided

It'll also print a warning in this case

Sergei Golubchik added a comment - 2023-09-15 20:06 To be more user-friendly in a typical passwordless test environment, mariadb cli, will disable --ssl-verify-server-cert if --ssl-verify-server-cert was not enabled explicitly CA was not specified fingerprint was not specified protocol is TCP no password was provided It'll also print a warning in this case

Lena Startseva added a comment - 2024-01-23 15:31

Testing done. Ok to push.

Lena Startseva added a comment - 2024-01-23 15:31 Testing done. Ok to push.

Inada Naoki added a comment - 2024-02-08 04:25

`mysql_init()` now set `use_ssl=1` by default . Is this intended?

https://github.com/MariaDB/server/commit/abcd23add20276e4996773f578e77d5733e1b582#diff-b7189447363b2b74ee642549c398c1adcee11e2c8f4e0fa529dfde9d8f9e32faR1442

It makes MariaDB close to MySQL behavior (ssl_mode=PREFERRED by default).
So it reduce confusion of users who don't know difference between libmariadb and libmysql.

But use_ssl by default makes difficult to prohibit plaintext downgrade.

Inada Naoki added a comment - 2024-02-08 04:25 `mysql_init()` now set `use_ssl=1` by default . Is this intended? https://github.com/MariaDB/server/commit/abcd23add20276e4996773f578e77d5733e1b582#diff-b7189447363b2b74ee642549c398c1adcee11e2c8f4e0fa529dfde9d8f9e32faR1442 It makes MariaDB close to MySQL behavior (ssl_mode=PREFERRED by default). So it reduce confusion of users who don't know difference between libmariadb and libmysql. But use_ssl by default makes difficult to prohibit plaintext downgrade.

Orion Poplawski added a comment - 2024-09-27 13:47

Was it intended that this change the default behavior of clients using mariadb-connector-c to require an SSL connection? Because that is the case now. This was very confusing for me to see the zabbix DB socket connection start to fail with `[2026] TLS/SSL error: SSL is required, but the server does not support it` when I hadn't actually configured SSL in the zabbix server configuration.

https://github.com/mariadb-corporation/mariadb-connector-c/blame/3.4/plugins/auth/my_auth.c#L294

Orion Poplawski added a comment - 2024-09-27 13:47 Was it intended that this change the default behavior of clients using mariadb-connector-c to require an SSL connection? Because that is the case now. This was very confusing for me to see the zabbix DB socket connection start to fail with ` [2026] TLS/SSL error: SSL is required, but the server does not support it` when I hadn't actually configured SSL in the zabbix server configuration. https://github.com/mariadb-corporation/mariadb-connector-c/blame/3.4/plugins/auth/my_auth.c#L294

Sergei Golubchik added a comment - 2024-09-27 14:06

Yes, it was intended within the concept "secure by default" and it was added when the server started providing TLS automatically and without any configuration in ~~MDEV-31856~~.

Supposedly, one can configure the client to disable TLS, if needed. Like, for the command line client it's --disable-ssl.

Anyway, we've added an opt-out recently for cases when a client doesn't have an option to disable TLS: https://github.com/mariadb-corporation/mariadb-connector-c/commit/39f2e12f9a6640eb82f1974dcd0ab2bc296c1403

Sergei Golubchik added a comment - 2024-09-27 14:06 Yes, it was intended within the concept "secure by default" and it was added when the server started providing TLS automatically and without any configuration in MDEV-31856 . Supposedly, one can configure the client to disable TLS, if needed. Like, for the command line client it's --disable-ssl . Anyway, we've added an opt-out recently for cases when a client doesn't have an option to disable TLS: https://github.com/mariadb-corporation/mariadb-connector-c/commit/39f2e12f9a6640eb82f1974dcd0ab2bc296c1403

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2023-08-05 16:48

Updated:: 2 days ago 14:58

Resolved:: 2024-02-05 10:16

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server