[#MDEV-25059] require_secure_transport option still allow to access the client in a insecure way

[MDEV-25059] require_secure_transport option still allow to access the client in a insecure way Created: 2021-03-04 Updated: 2021-04-05 Resolved: 2021-04-05
Status:	Closed
Project:	MariaDB Server
Component/s:	Configuration
Affects Version/s:	10.5.9
Fix Version/s:	N/A

Type:

Bug

Priority:

Minor

Reporter:

ignacio schmid

Assignee:

Sergei Golubchik

Resolution:

Not a Bug

Votes:

Labels:

None

Environment:

Docker image mariadb:latest

Attachments:

conf.cnf

Description

I executed a mariadb server with TLS, everything worked fine, and the 'require_secure_transport' was ON.

Then, i tried to access it via client, and i could access it with the --ssl option, but without giving any CA or any other certificate related option. This makes me think that the server do connected via TLS(i could see the ssl cypher with the "status" command), but do not authenticated the server certificate, and i dont think we can call that secure by any way. I only got an error while trying to login with tls without the certs after changing the user requirement.

So there is no way to ensure that the connection is really secure besides changing the user requirement.

The conf file used to create the server is attached. I don't think it should matter, but i was using the root user.

Comments

Comment by Elena Stepanova [ 2021-04-03 ]

From documentation both in MariaDB and MySQL, it appears to be quite intentional. The option requires to use a secure transport, but doesn't enable any certificate validation – somewhat like configuring a user account with REQUIRE SSL (plus, of course, non-SSL secure transports, if available).

Assigning to serg to confirm (or not) if it is indeed intentional, decide whether it should be converted into a feature request.

Comment by Sergei Golubchik [ 2021-04-05 ]

Yes, it's basically the only way it could be.

You wrote yourself "not authenticated the server certificate" and "there is no way to ensure that the connection is really secure besides changing the user requirement". Naturally, the server itself cannot validate the server certificate on the client side. So, you're right, to make the client validate the server certificate you need to configure the client to do it, not the server. Add to your conf.cnf file something like

[client]

ssl-verify-server-cert=on

Generated at Thu Feb 08 09:34:48 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-25059] require_secure_transport option still allow to access the client in a insecure way Created: 2021-03-04 Updated: 2021-04-05 Resolved: 2021-04-05