Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gem does not verify hostname when ssl_mode: :verify_identity #879

Open
ljfranklin opened this issue Aug 18, 2017 · 9 comments
Open

Gem does not verify hostname when ssl_mode: :verify_identity #879

ljfranklin opened this issue Aug 18, 2017 · 9 comments
Milestone

Comments

@ljfranklin
Copy link

From the MySQL documentation, the VERIFY_IDENTITY SSL mode should verify the hostname in the server's certificate matches the hostname to which to client tried to connect. However, when setting ssl_mode: :verify_identity the gem connects even if there is a hostname mismatch. If I set ssl_mode: :verify_identity AND sslverify: true, the gem returns an SSL validation error as expected.

Using mysql2 version 0.4.8 and MariaDB connector C version 2.3.0 as the driver.

ljfranklin added a commit to cloudfoundry/cloud_controller_ng that referenced this issue Aug 18, 2017
- The documentation indicates that `:verify_identity` should be
  sufficient to verify the hostname in the certificate matches the
  connection string, but hostname verify was not taking place.
- Adding `sslverify: true` fixes this, opened an issue to understand why
  this extra field is necessary:
  brianmario/mysql2#879

[#132950039]
@sodabrew sodabrew added this to the 0.4.10 milestone Nov 14, 2017
@sodabrew
Copy link
Collaborator

sodabrew commented Nov 14, 2017

ssl_mode: :verify_identify sets a different flag than the connection option SSL_VERIFY_SERVER_CERT.

Also:

VERIFY_IDENTITY: Like VERIFY_CA, but additionally check the server's Common Name value in the certificate that the server sends to the client. The client verifies that name against the host name the client uses for connecting to the server, and the connection fails if there is a mismatch. For encrypted connections, this option helps prevent man-in-the-middle attacks. This is like the legacy --ssl-verify-server-cert option.

Also:

The --ssl-verify-server-cert option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0. Use --ssl-mode=VERIFY_IDENTITY instead.

So I don't understand why you're seeing a different behavior between ssl_mode: :verify_identity and sslverify: true, the documentation indicates that ssl_mode: :verify_identity should have taken care of this.

@sodabrew
Copy link
Collaborator

I have this suspicion that it is related to #889 but I'm not quite following my own hunch. This doesn't make sense to me in your OP, it must be a bug in MySQL client!?

If I set ssl_mode: :verify_identity AND sslverify: true, the gem returns an SSL validation error as expected.

@sodabrew sodabrew removed this from the 0.4.10 milestone Nov 14, 2017
@sodabrew
Copy link
Collaborator

sodabrew commented Nov 16, 2017

Please check of 0.4.10 resolves this issue for you, otherwise it may simply require documentation that both flags are required.

@sodabrew
Copy link
Collaborator

sodabrew commented Feb 3, 2018

Did version 0.4.10 resolve the issue for you?

@ljfranklin
Copy link
Author

@sodabrew unfortunately I've since rolled off the team that was hitting this issue. Luckily (or unluckily), my coworker @pivotal-jamil-shamy is hitting a similar issue. Maybe they can check if version 0.4.10 works.

@pivotal-jamil-shamy
Copy link

@sodabrew @ljfranklin we're using version 0.4.10 as well and still hitting the similar issue

@sodabrew sodabrew added this to the 0.5.1 milestone Mar 21, 2018
@sodabrew sodabrew modified the milestones: 0.5.1, 0.5.2 Apr 7, 2018
@sodabrew sodabrew modified the milestones: 0.5.2, 0.5.3 Jul 4, 2018
@lisamburns
Copy link

We are experiencing this issue as well.

@abg
Copy link

abg commented Nov 12, 2018

For context, Mariadb's client library does not support ssl_mode, so this connector's :ssl_mode effectively gets ignored when built against MariaDB client libraries. MariaDB's client libraries are not a 100% drop-in replacement for MySQL. :sslverify => true must be used instead to get VERIFY_IDENTITY semantics.

@pivotal-jamil-shamy
Copy link

cc @xtreme-andrew-su @freddesbiens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants