[Dovecot] [PATCH] lib-sql/driver-mysql.c - Add support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT
Hello,
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
An example connect string would look something like:
connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes
By default the mysql client library does not perform this check.
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
An example connect string would look something like:
connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes
By default the mysql client library does not perform this check.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
On Fri, 2013-11-22 at 00:42 +0200, Timo Sirainen wrote:
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
An example connect string would look something like:
connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes
By default the mysql client library does not perform this check.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
Apart from possibly breaking existing installations and that mysql client library allows it to be disabled, I can't think of a good reason why someone wouldn't enable it.
- Timo Sirainen dovecot@dovecot.org:
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
An example connect string would look something like:
connect = ... ssl-ca=/path/to/ca.cert ssl-verify-server-cert=yes
By default the mysql client library does not perform this check.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
It should be optional or it will break other running systems when the update/upgrade.
p@rick
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
On 22.11.2013, at 9.22, Patrick Ben Koetter p@sys4.de wrote:
- Timo Sirainen dovecot@dovecot.org:
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
It should be optional or it will break other running systems when the update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
On Fri, 2013-11-22 at 13:52 +0200, Timo Sirainen wrote:
On 22.11.2013, at 9.22, Patrick Ben Koetter p@sys4.de wrote:
- Timo Sirainen dovecot@dovecot.org:
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
It should be optional or it will break other running systems when the update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
Attached is revised patch the defaults to verifying the cert.
Timo,
Were there any further changes you wanted made to the patch?
It now defaults to having ssl_verify_server_cert enabled.
On Fri, 2013-11-22 at 13:52 +0200, Timo Sirainen wrote:
On 22.11.2013, at 9.22, Patrick Ben Koetter p@sys4.de wrote:
- Timo Sirainen dovecot@dovecot.org:
On 22.11.2013, at 0.35, Gareth Palmer gareth@acsdata.co.nz wrote:
The following patch adds support for enabling MYSQL_OPT_SSL_VERIFY_SERVER_CERT.
It makes the mysql client library check that the commonName in the server's SSL certificate matches the host name provided to mysql_real_connect() and aborts the connection if the name doesn't match.
If someone goes through the trouble of using SSL with MySQL .. should this even be optional? I guess I shouldn’t break any v2.2 installations even accidentally, but for v2.3 I don’t really see any point of not having this enabled unconditionally.
It should be optional or it will break other running systems when the update/upgrade.
But perhaps it should break (in v2.3.0)? Otherwise it’s not really running securely anyway. At least the default should be to verify the cert.
On 4.12.2013, at 6.31, Gareth Palmer gareth@acsdata.co.nz wrote:
Were there any further changes you wanted made to the patch?
It now defaults to having ssl_verify_server_cert enabled.
Better avoid breaking people’s systems for now. I’ll add a note to my v2.3-TODO to update it then. I did some minor changes, mainly I thought it’s better to always explicitly set it, so just in case MySQL changes its default behavior Dovecot’s behavior wouldn’t change: http://hg.dovecot.org/dovecot-2.2/rev/7a7898ffe87f
participants (3)
-
Gareth Palmer
-
Patrick Ben Koetter
-
Timo Sirainen