Option to disable CA verification for SSL connections?
matthewlenz opened this issue · 9 comments
Am I overlooking something that allows me to disable CA verification? If not, there should be an option to do so. Like mysql's own tools server verification is not enabled by default in DBD::mysql. Unlike mysql's own tools CA verification is enabled in DBD::mysql by default and there appears to be no option to disable it.
Hello! I'm not sure how it is with DBD::mysql, but there were lot of security issues regarding TLS connections and certificate verification, which I was fixing in the past in DBD::MariaDB. In DBD::MariaDB there is mariadb_ssl_verify_server_cert option, maybe it could help. Also look into documentation section for mariadb_ssl_optional option as it is related to security vulnerabilities.
@pali, mysql_ssl_verify_server_cert is disable by default (it doesn't help with disabling CA verification). I'm just looking for parity with the ssl functionality provided by the standard mysql client. There are certain environments (private virtual networks) where needing to distribute the CA cert along with all perl software is extraneous.
Look at security note in documentation for that mariadb_ssl_optional option. If you are ok with security issues, you could try to use it. But I do not know if DBD::mysql also implements this option.
mysql_ssl_optional
Setting mysql_ssl_optional to true disables strict SSL enforcement and makes SSL connection optional. This option opens security hole for man-in-the-middle attacks. Default value is false which means that mysql_ssl set to true enforce SSL encryption.
This option was introduced in 4.043 version of DBD::mysql. Due to The BACKRONYM and The Riddle vulnerabilities in libmysqlclient library, enforcement of SSL encryption was not possbile and therefore mysql_ssl_optional=1 was effectively set for all DBD::mysql versions prior to 4.043. Starting with 4.043, DBD::mysql with mysql_ssl=1 could refuse connection to MySQL server if underlaying libmysqlclient library is vulnerable. Option mysql_ssl_optional can be used to make SSL connection vulnerable.
I don't see what this has to do with making an SSL connection without verifying the CA. I don't want to make SSL optional I just don't want it to verify the CA like the standard MySQL client doesn't by default.
Well, if it does not help, nor is not what you want, then I'm afraid that there is no option for your usecase.
Anyway, disabling verification of TLS server certificate on the client side is like disabling TLS at all, as it open big security hole for attackers. So I think that from security point of view this setup "use TLS encryption and allow attackers to break it" does not have too much value for implementing and having it. For me only these two options make sense: 1. use encryption & security correctly OR 2. do not use encryption at all.
Apparently the mysql developers disagree with you.
Well, fell free to start implementing this option. As I have not seen any other requests like this, I do not think that other people are also looking for it.
And if mysql developers disagree with me, I'm fine with it. But I would really would like to hear why it is useful and what it brings. Because I really do not see it. Encryption is there for security reasons and if somebody do not want encryption, then what is the reason to enable it? It just slow down traffic and performance.
Note that in both DBD::mysql and DBD::MariaDB were lot of security issues and it was because of issues in mysql library (which is used by these perl modules) which was developed by mysql developers. So if you are saying that they disagree, it just confirms that they do not care about security at all.
I believe they (like myself) believe it's more important to encrypt communications than not to do so. Regardless of the circumstance. Bad actors in a position to eavesdrop are not necessarily in a position to perform a man in the middle. A huge portion of mysql servers are running in cloud environments. Communication across services within providers almost always has some kind of network level encryption. But, communication between nodes within those services is often not. This is the use case for which I was seeking the functionality. I'll look into providing pull request with the functionality.
With MySQL 8.x libraries and the master branch of DBD::mysql
DSN options | SSL/TLS mode |
---|---|
<default> |
SSL_MODE_DISABLED |
mysql_ssl=1 |
SSL_MODE_REQUIRED |
mysql_ssl=1;mysql_ssl_optional=1 |
SSL_MODE_PREFERRED |
mysql_ssl=1;mysql_ssl_ca_file=ca.pem (or with mysql_ssl_ca_path ) |
SSL_MODE_VERIFY_CA |
mysql_ssl=1;mysql_ssl_verify_server_cert=1;mysql_ssl_ca=ca.pem |
SSL_MODE_VERIFY_IDENTITY |
I think this should give enough options, including one where CA validation is disabled.
So it looks to me that there is nothing more to do here.