[MDEV-30178] Error message when 'require_secure_transport' is enabled should be more explict Created: 2022-12-08  Updated: 2023-09-07  Resolved: 2023-07-25

Status: Closed
Project: MariaDB Server
Component/s: SSL
Fix Version/s: 11.2.1

Type: Task Priority: Trivial
Reporter: Tingyao Nian Assignee: Daniel Black
Resolution: Fixed Votes: 1
Labels: beginner-friendly

Issue Links:
Problem/Incident
causes MDEV-32123 require_secure_transport doesn't allo... Closed

 Description   

'require_secure_transport' is introduced since 10.4 Enterprise

https://mariadb.com/docs/skysql/ref/mdb/system-variables/require_secure_transport/

When this option is enabled, connections attempted using insecure transport will be rejected. Secure transports are SSL/TLS, Unix sockets or named pipes.

However the error message emitted when connection s refused is not at all explanatory. If this variable is enabled and a client tries to connect without encryption, following error message will be seen:

ERROR 1045 (28000): Access denied for user '<user>'@'localhost' (using password: [YES|NO])

It does not provide any useful information to suggest user to connect with encryption, neither does it mention the related parameter 'require_secure_transport'.

The equivalent message from MySQL for example contains more information:

MySQL Error 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.

It would be beneficial to change this error message in MariaDB to reflect that the variable is enabled and to suggest user to use encrypted connection.

 Comments   
Comment by Daniel Black [ 2022-12-08 ]

Note it was added in 10.5.2 on the MariaDB community version.

Comment by Daniel Lenski [ 2022-12-08 ]

Additionally, when attempting to connect using TLS certificate validation, but failing to validate the server certs… the error messages are of an extremely poor quality:

Connect to a server where the server's cert is self-signed, or otherwise can't be validated by the system-default CA bundle

$ mariadb  --ssl-verify-server-cert --ssl -u USER -pPASSWORD -h mariadb-server-with-self-signed-cert.com
 
ERROR 2026 (HY000): TLS/SSL error: unable to get local issuer certificate

Contrast this with, say, the higher-quality error message produced by GnuTLS:

$ gnutls-cli self-signed.badssl.com
 
- Status: The certificate is NOT trusted. The certificate issuer is unknown.

Connect to a server where the server's hostname doesn't match its certificate

The easiest way to demonstrate this is to connect by IP address to a server whose certificate contains only its hostname, but not its IP address(es):

$ mariadb  --ssl-verify-server-cert --ssl -u USER -pPASSWORD -h 1.2.3.4   # IPv4 address of mariadb-server-with-self-signed-cert.com
 
ERROR 2026 (HY000): TLS/SSL error: Validation of SSL server certificate failed

Contrast this with, say, the higher-quality error message produced by GnuTLS:

$ gnutls-cli 104.154.89.105   # IPv4 address of self-signed.badssl.com
 
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The certificate chain uses expired certificate. The name in the certificate does not match the expected.

Comment by Daniel Lenski [ 2022-12-08 ]

Related: The default connection security of MariaDB clients (command-line tools and connector libraries) is extremely weak — and even worse, it's misleading to end users:

  1. Insecure by default: clients don't enable --ssl by default.
    In this respect, MariaDB is years behind the curve of other TCP-based client/server application, most all of which use TLS by default. (Web browsers, IMAP clients, SMTP clients, etc.)
  2. Misleading: even when you explicitly enable --ssl, certificate validation isn't enabled.
    I would guess that there are thousands and thousands of MariaDB users who think that they've got secure connections, because they've added --ssl to their command line, or mariadb.connect(…, ssl=True) to their Python scripts, but they don't. Their connections are trivial to MITM.
Comment by Daniel Black [ 2022-12-08 ]

dlenski, those two are are in the Connector/C and should be a different bug if one doesn't exist already. Though looking at the code, you are right other TLS errors fall straight under the to ER_ACCESS_DENIEDs error with no TLS / require_secure_storage mention.

Tingynia looking at what it would take to fix, the code in sql/sql_acl.cc:acl_check_ssl is where to start that needs to return different errors codes.

Error messages with the same code I think can be introduced.

example addition

 
diff --git a/sql/share/errmsg-utf8.txt b/sql/share/errmsg-utf8.txt
 
index 984c48c30db..521a95aada1 100644
 
--- a/sql/share/errmsg-utf8.txt
 
+++ b/sql/share/errmsg-utf8.txt
 
@@ -7242,6 +7242,9 @@ ER_ACCESS_DENIED_NO_PASSWORD_ERROR 28000
 
         swe "Användare '%s'@'%s' är ej berättigad att logga in"
 
         ukr "Доступ заборонено для користувача: '%s'@'%s'"
 
 
+ER_ACCESS_SECURE_TRANSPORT_REQUIRED 28000
 
+        eng "Access denied for user '%s'@'%s', secure transport required of require_secure_transport=ON"
 
+
 
 ER_SET_PASSWORD_AUTH_PLUGIN
 
         chi "通过%s插件验证的用户忽略SET PASSWORD"
 
         eng "SET PASSWORD is ignored for users authenticating via %s plugin"

Is this something you are willing to try to write code to correct?

Comment by Sergei Golubchik [ 2022-12-26 ]

dlenski, see also MDEV-27105 and MDEV-28634.
The former makes clients use ssl by default, if possible. It's in 10.10.
The latter should've enabled cert validation by default (preventing MitM) but I didn't push it, as it would've broken almost every ssl-enabled MariaDB installation in the world. Please, feel free to comment in MDEV-28634 if you have any ideas that could help to get it pushed.

Comment by Daniel Lenski [ 2022-12-28 ]

serg wrote:

The latter should've enabled cert validation by default (preventing MitM) but I didn't push it, as it would've broken almost every ssl-enabled MariaDB installation in the world.

The counterargument is that "almost every ssl-enabled MariaDB installation in the world" is already broken: an ISP or government can easily MITM traffic to/from MariaDB servers if they're not actually doing certification validation.

This has been an extremely common and plausible threat model for almost a decade now.

Comment by Sergei Golubchik [ 2022-12-28 ]

Yes, you're right. They're already broken.
Still from the user PoV they work, and I'm not sure we should pull the plug from all those installations at once.

Comment by Daniel Black [ 2023-03-29 ]

serg I assume you want to review everything to do with authentication.

AFAIK https://github.com/MariaDB/server/pull/2581 looks correct.

Which version to target is an outstanding question. In its current from using the same 28000 is back to 10.5 ok?

Comment by Daniel Lenski [ 2023-03-29 ]

AFAIK https://github.com/MariaDB/server/pull/2581 looks correct.

+ dufravin, who's the author of this PR.

Comment by Sergei Golubchik [ 2023-07-21 ]

https://github.com/MariaDB/server/pull/2581/commits/f6535644da is ok to push

Generated at Thu Feb 08 10:14:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.