[MDEV-31855] validate ssl certificates using client password Created: 2023-08-05  Updated: 2024-02-05  Resolved: 2024-02-05

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Plugins, SSL
Fix Version/s: 11.4.1

Type: New Feature Priority: Critical
Reporter: Sergei Golubchik Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: Preview_11.3

Issue Links:
Blocks
blocks MDEV-31856 use ephemeral ssl certificates Closed
PartOf
Relates
relates to CONJ-1105 TLS ephemeral certificate automatic i... Open
relates to CONJS-264 TLS ephemeral certificate automatic i... Stalled
relates to MDEV-32210 Ephemeral certificate missing DN Closed
relates to MXS-4774 Add support for ephemeral server cert... In Progress
relates to R2DBC-90 TLS ephemeral certificate automatic i... Open

 Description   

This needs a change in the client auth plugin API

  • client authentication plugins to get a new method hash_password(), the same as in the server plugin

The new authentication will work like this

Client side, when sending client reply packet:

  • If SSL is used, and --ssl-verify-server-cert is in force, but
  • no --ssl-ca or --ssl-fingerprint is in force, and
  • the certificate failed validation as self-signed, and
  • client authentication plugin doesn't have hash_password() method, and
  • the non-empty password was provided, then
  • disconnect, otherwise
  • continue (let's call it late certificate validation mode)

Server side, when sending the OK packet after successful authentication:

  • if SSL is used, and
  • the certificate is ephemeral (after MDEV-31856), and
  • the account has non-empty password, then
  • calculate SHA2(user's hashed password, scramble, certificate fingerprint), and
  • put it in the OK's info field, prefixed by byte 0x01

Client side, when receiving OK packet:

  • if in the late certificate validation mode, then
  • use hash_password() callback, calculate SHA2(user's hashed password, scramble, certificate fingerprint), compare

Notes

  • client plugin versions and the API version have to be incremented
  • the server doesn't know if the client is in the late password validation mode, so it might do some unnecessary work just in case
    • this could be fixed by a new capability bit, or
    • just live with potential unnecessary work on connect — it is assumed that in overwhelming majority of the cases this work will be necessary (almost all setups will use this mode)

 Comments   
Comment by Daniel Lenski [ 2023-08-10 ]

validate ssl certificates using client password

What security properties of the client-server connection would actually be improved by doing this?

It seems to me that this will greatly complicate the MariaDB client and server code. In my opinion, it is a bad design, because it further entrenches the entangling of two logically-separate concerns:

  1. Transport-layer: establishing an encrypted channel between the client and an authenticated server (TLS)
  2. Application-layer authentication and authorization

Entangling these is an extremely bad design choice, that has already led to several security vulnerabilities and greatly complicates solving them in a clean and backwards-compatible way, including at least CONC-648, CONC-654, and MDEV-31585. I wrote at greatly length about this in a comment on CONC-648.

So, I would say that it's important to step back and think about what the goal is here, in terms of improving the security properties of the system, and then think about how to achieve that in ways that reduce, rather than exacerbate, existing security vulnerabilities and design flaws.

Comment by Sergei Golubchik [ 2023-08-10 ]

The goal is to prevent active MitM of course by validating SSL certificates.

And no, the implementation (V1) of this is quite small and simple.

Comment by Daniel Lenski [ 2023-08-16 ]

The goal is to prevent active MitM of course by validating SSL certificates.

The title of this JIRA is “validate ssl certificates using client password”.

How is validation of the server’s SSL certificate (that's a transport-layer concern) conceivably related to the client’s MariaDB user password (that's an application-layer concern)?

Comment by Sergei Golubchik [ 2023-09-08 ]

in bb-11.3-serg branch, commits:

2c293980590 MDEV-31857 enable --ssl-verify-server-cert by default in the internal client
 
92d1e29f9eb MDEV-31855 validate ssl certificates using client password in the internal client
 
dc725663522 disable SSL via named pipes in the internal client
 
fecaa34d58a free mysql->connector_fd correctly in the internal client
 
d61d5c2b2f5 change how self-signed certs are accepted by internal client
 
4354452378d cleanup: X509_check_host() in the internal client
 
a170006cce6 cleanup: ssl handling in the internal rpl client
 
350cb3f311f MDEV-31857 enable --ssl-verify-server-cert by default
 
0131af509a9 enable --ssl in the server by default
 
b3fe66e7299 MDEV-31856 use ephemeral ssl certificates
 
8d608f6811e wrong error for bare --ssl on the server side
 
e651ca6497a cleanup
 
1ccb8bc0d78 test SSL MitM attack
 
a8895302211 client support for --tls-fp and --tls--fplist
 
3d6d49641f3 MDEV-31855 validate ssl certificates using client password
 
88b1c98c2d8 cleanup: unify client's setting of ssl options
 
6f0d7df2cb4 test.cnf files should !include default_my.cnf
 
8b573729ba6 clarify CR_OK_HANDSHAKE_COMPLETE

Comment by Oleksandr Byelkin [ 2023-09-12 ]

OK to push (after adding coments about format of the protocol extention (SSL info))

Comment by Daniel Lenski [ 2023-09-15 ]

sanja wrote:

OK to push (after adding coments about format of the protocol extention (SSL info))

Yikes.

Do you understand that serg is essentially proposing a new TLS key exchange mechanism here?

Have you solicited the help of experts in cryptographic protocol design who can evaluate the security of this mechanism?

If I were to provide a step-by-step explanation of how this mechanism could be attacked and the client's password stolen undetectably, would you change you mind about "okay to push"?

In a comment on MDEV-31856, serg wrote:

yes, sure. the design document is in MDEV-31855. There's a full high-level description of the new protocol extension.
I'd appreciate if you'd try to come up with attacks against it.

Yes, I already have a detailed step-by-step attack against it.

Using this attack, it is possible for a MITM to fool the client into thinking that it has connected to a server, when it has in fact connected to the MITM, and for the MITM to obtain the client's password.

This attack is exacerbated by a (seemingly-unrelated) security flaw in MariaDB which has never been reported, to my knowledge. It is a very good illustration of why it is dangerous to mix authentication at different protocol layers, as I've been explaining over and over.

Do you want me to explain it?

Comment by Sergei Golubchik [ 2023-09-16 ]

of course, if you were to provide a step-by-step explanation of how this mechanism could be attacked, we won't push this feature in this form.

Comment by Daniel Lenski [ 2023-09-18 ]

I have already reported several practical TLS attacks against actual production MariaDB code which has existed for many years, e.g. CONC-648, CONC-654, CONC-656, MDEV-31585. I've proposed fixes for all of these; they remain mostly unfixed.

I would describe all these bugs as "pretty obvious": I didn't set out to find TLS bugs in MariaDB, but once I started looking at the relevant code for other reasons, they started to jump out at me all over the place.

I've also explained several times (e.g. comment on CONC-648 from 3 months ago how these vulnerabilities are largely a consequence of improper entanglement between different conceptually separate layers of networking protocols. This is not some very specialized knowledge: it's included in basically every guide to programming with TLS, and in many reports of previous real-world TLS vulnerabilities.

What you have proposed here, serg, is yet another new entanglement between the application-layer authentication (e.g. MariaDB native password auth) and the transport-layer security mechanism (TLS), as I mentioned in a comment right above).

of course, if you were to provide a step-by-step explanation of how this mechanism could be attacked, we won't push this feature in this form.

I am less concerned about the particular vulnerability that you are going to introduce if you merge this code, than I am with what appears to be broken or missing processes in MariaDB development.

It appears that there must be little or no review of the security implications of code changes like the one proposed here.

Comment by Sergei Golubchik [ 2023-09-19 ]

Neither issue you mentioned above is a TLS attack, and 3 out of four are not even at "attack" as such.

Thank you for confirming that you're less concerned about this particular protocol extension, supposedly it means that there is no step-by-step explanation of how this mechanism could be attacked.

Comment by Lena Startseva [ 2023-10-20 ]

serg, please, make a small changes in test main.ssl_autoverify in cases with "- - no-defaults" option - add option "--character-sets-dir" with value otherwise on some environments I get warnings in this cases:

../mariadb: Warning: Charset id '33' csname 'utf8' trying to replace existing csname 'utf8mb3'
 
../mariadb: Warning: Charset id '83' csname 'utf8' trying to replace existing csname 'utf8mb3'

Comment by Sergei Golubchik [ 2023-10-20 ]

Fixed, thanks

Comment by Lena Startseva [ 2024-01-23 ]

Testing done. Ok to push

Generated at Thu Feb 08 10:26:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.