Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-896

LP #1447527: --ssl option should enforce SSL


    • Bug
    • Status: On Hold
    • High
    • Resolution: Unresolved
    • None
    • None
    • None


      **Reported in Launchpad by David Busby last update 08-12-2015 10:41:20

      This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.

      In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted "in flight", this is known documented behaviour,

      This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.

      This issue affects MariaDB, and very likely Percona. as well and is related
      to https://mariadb.atlassian.net/browse/MDEV-7937

      The issue concerns the impossibility for MySQL/MariaDB users (with any major
      stable version) to enforce an SSL connection without possibility for a MITM
      attach to perform a malicious downgrade.

      The issue affects MySQL versions before 5.7.3. However, these fixes have not
      been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
      is not yet considered a stable release. Situation should be similar with

      Therefore the vast majority of MySQL/MariaDB users:

      a) have no ability to enforce SSL use, except by patching code or
      performing a major-version upgrade to a development release, and

      b) are probably not aware of this limitation

      The following links clearly illustrate the issue:


      While technically this is documented behaviour, it represents a pretty bad
      one and the feeling is that most users actually have no awareness of this.




            Unassigned Unassigned
            lpjirasync lpjirasync (Inactive)
            0 Vote for this issue
            1 Start watching this issue



              Smart Checklist