mysql2 icon indicating copy to clipboard operation
mysql2 copied to clipboard

Published 20 hours ago verified publisher icon brianmario

Gem does not verify hostname when `ssl_mode: :verify_identity`

Open ljfranklin opened this issue 7 years ago • 9 comments

From the MySQL documentation, the VERIFY_IDENTITY SSL mode should verify the hostname in the server's certificate matches the hostname to which to client tried to connect. However, when setting ssl_mode: :verify_identity the gem connects even if there is a hostname mismatch. If I set ssl_mode: :verify_identity AND sslverify: true, the gem returns an SSL validation error as expected.

Using mysql2 version 0.4.8 and MariaDB connector C version 2.3.0 as the driver.

ljfranklin avatar Aug 18 '17 21:08 ljfranklin

ssl_mode: :verify_identify sets a different flag than the connection option SSL_VERIFY_SERVER_CERT.

Also:

VERIFY_IDENTITY: Like VERIFY_CA, but additionally check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. This is like the legacy --ssl-verify-server-cert option.

Also:

The --ssl-verify-server-cert option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. Use --ssl-mode=VERIFY_IDENTITY instead.

So I don't understand why you're seeing a different behavior between ssl_mode: :verify_identity and sslverify: true, the documentation indicates that ssl_mode: :verify_identity should have taken care of this.

sodabrew avatar Nov 14 '17 07:11 sodabrew

I have this suspicion that it is related to #889 but I'm not quite following my own hunch. This doesn't make sense to me in your OP, it must be a bug in MySQL client!?

If I set ssl_mode: :verify_identity AND sslverify: true, the gem returns an SSL validation error as expected.

sodabrew avatar Nov 14 '17 07:11 sodabrew

Please check of 0.4.10 resolves this issue for you, otherwise it may simply require documentation that both flags are required.

sodabrew avatar Nov 16 '17 17:11 sodabrew

Did version 0.4.10 resolve the issue for you?

sodabrew avatar Feb 03 '18 13:02 sodabrew

@sodabrew unfortunately I've since rolled off the team that was hitting this issue. Luckily (or unluckily), my coworker @pivotal-jamil-shamy is hitting a similar issue. Maybe they can check if version 0.4.10 works.

ljfranklin avatar Feb 05 '18 16:02 ljfranklin

@sodabrew @ljfranklin we're using version 0.4.10 as well and still hitting the similar issue

pivotal-jamil-shamy avatar Feb 13 '18 18:02 pivotal-jamil-shamy

We are experiencing this issue as well.

lisamburns avatar Oct 19 '18 19:10 lisamburns

For context, Mariadb's client library does not support ssl_mode, so this connector's :ssl_mode effectively gets ignored when built against MariaDB client libraries. MariaDB's client libraries are not a 100% drop-in replacement for MySQL. :sslverify => true must be used instead to get VERIFY_IDENTITY semantics.

abg avatar Nov 12 '18 16:11 abg

cc @xtreme-andrew-su @freddesbiens

pivotal-jamil-shamy avatar Nov 14 '18 16:11 pivotal-jamil-shamy