client support for --ssl-fp and --ssl--fplist

implement --ssl-fp and --ssl-fplist for all clients.
--ssl-fp takes one certificate fingerprint, for example,
00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

--ssl-fplist takes a path to a file with one fingerprint per line.

if the server's certificate fingerprint matches ssl-fp or is found
in the file - the certificate is considered verified.
If the fingerprint is specified but doesn't match - the connection
is aborted independently from the --ssl-verify-server-cert
This commit is contained in:
Sergei Golubchik 2023-09-01 10:25:53 +02:00
parent 1ef1bab99e
commit bac0f8999d
7 changed files with 55 additions and 1 deletions

View file

@ -111,6 +111,7 @@ enum options_client
OPT_DO_DOMAIN_IDS, OPT_DO_DOMAIN_IDS,
OPT_IGNORE_SERVER_IDS, OPT_IGNORE_SERVER_IDS,
OPT_DO_SERVER_IDS, OPT_DO_SERVER_IDS,
OPT_SSL_FP, OPT_SSL_FPLIST,
OPT_MAX_CLIENT_OPTION /* should be always the last */ OPT_MAX_CLIENT_OPTION /* should be always the last */
}; };

View file

@ -217,10 +217,10 @@ static ulong max_buf_pool_modified_pct;
/* Ignored option (--log) for MySQL option compatibility */ /* Ignored option (--log) for MySQL option compatibility */
static char* log_ignored_opt; static char* log_ignored_opt;
extern my_bool opt_use_ssl; extern my_bool opt_use_ssl;
extern char *opt_tls_version; extern char *opt_tls_version;
my_bool opt_ssl_verify_server_cert; my_bool opt_ssl_verify_server_cert;
char *opt_ssl_fp, *opt_ssl_fplist;
my_bool opt_extended_validation; my_bool opt_extended_validation;
my_bool opt_encrypted_backup; my_bool opt_encrypted_backup;

View file

@ -24,6 +24,11 @@
case OPT_SSL_CIPHER: case OPT_SSL_CIPHER:
case OPT_SSL_CRL: case OPT_SSL_CRL:
case OPT_SSL_CRLPATH: case OPT_SSL_CRLPATH:
case OPT_TLS_VERSION:
#ifdef MYSQL_CLIENT
case OPT_SSL_FP:
case OPT_SSL_FPLIST:
#endif
/* /*
Enable use of SSL if we are using any ssl option Enable use of SSL if we are using any ssl option
One can disable SSL later by using --skip-ssl or --ssl=0 One can disable SSL later by using --skip-ssl or --ssl=0

View file

@ -52,6 +52,11 @@
0, 0, 0, 0, 0, 0}, 0, 0, 0, 0, 0, 0},
#ifdef MYSQL_CLIENT #ifdef MYSQL_CLIENT
{"ssl-fp", OPT_SSL_FP, "Server certificate fingerprint (implies --ssl).",
&opt_ssl_fp, &opt_ssl_fp, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
{"ssl-fplist", OPT_SSL_FPLIST, "File with accepted server certificate "
"fingerprints, one per line (implies --ssl).",
&opt_ssl_fplist, &opt_ssl_fplist, 0, GET_STR, REQUIRED_ARG, 0, 0, 0, 0, 0, 0},
{"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT, {"ssl-verify-server-cert", OPT_SSL_VERIFY_SERVER_CERT,
"Verify server's certificate to prevent man-in-the-middle attacks", "Verify server's certificate to prevent man-in-the-middle attacks",
&opt_ssl_verify_server_cert, &opt_ssl_verify_server_cert, &opt_ssl_verify_server_cert, &opt_ssl_verify_server_cert,

View file

@ -32,6 +32,8 @@ SSL_STATIC char *opt_ssl_crl = 0;
SSL_STATIC char *opt_ssl_crlpath = 0; SSL_STATIC char *opt_ssl_crlpath = 0;
SSL_STATIC char *opt_tls_version = 0; SSL_STATIC char *opt_tls_version = 0;
#ifdef MYSQL_CLIENT #ifdef MYSQL_CLIENT
SSL_STATIC char *opt_ssl_fp = 0;
SSL_STATIC char *opt_ssl_fplist = 0;
SSL_STATIC my_bool opt_ssl_verify_server_cert= 0; SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
#define SET_SSL_OPTS(M) \ #define SET_SSL_OPTS(M) \
@ -43,6 +45,8 @@ SSL_STATIC my_bool opt_ssl_verify_server_cert= 0;
mysql_options((M), MYSQL_OPT_SSL_CRL, opt_ssl_crl); \ mysql_options((M), MYSQL_OPT_SSL_CRL, opt_ssl_crl); \
mysql_options((M), MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); \ mysql_options((M), MYSQL_OPT_SSL_CRLPATH, opt_ssl_crlpath); \
mysql_options((M), MARIADB_OPT_TLS_VERSION, opt_tls_version); \ mysql_options((M), MARIADB_OPT_TLS_VERSION, opt_tls_version); \
mysql_options((M), MARIADB_OPT_TLS_PEER_FP, opt_ssl_fp); \
mysql_options((M), MARIADB_OPT_TLS_PEER_FP_LIST, opt_ssl_fplist); \
} \ } \
mysql_options((M),MYSQL_OPT_SSL_VERIFY_SERVER_CERT, \ mysql_options((M),MYSQL_OPT_SSL_VERIFY_SERVER_CERT, \
&opt_ssl_verify_server_cert); \ &opt_ssl_verify_server_cert); \

View file

@ -0,0 +1,12 @@
create function have_ssl() returns char(3)
return (select if(variable_value > '','yes','no') as 'have_ssl'
from information_schema.session_status
where variable_name='ssl_cipher');
# mysql --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
ERROR 2026 (HY000): TLS/SSL error: Failed to verify the server certificate
# mysql --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()"
test.have_ssl()
yes
# mysql --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()"
ERROR 2026 (HY000): TLS/SSL error: Fingerprint verification of server certificate failed
drop function have_ssl;

View file

@ -0,0 +1,27 @@
source include/not_embedded.inc;
create function have_ssl() returns char(3)
return (select if(variable_value > '','yes','no') as 'have_ssl'
from information_schema.session_status
where variable_name='ssl_cipher');
#
# passwordless root cannot connect w/o fingerprint:
#
--echo # mysql --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()"
--replace_regex /TLS\/SSL error.*certificate[^\n]*/TLS\/SSL error: Failed to verify the server certificate/
--error 1
--exec $MYSQL --protocol tcp -uroot --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# fingerprint based cert verification:
#
--echo # mysql --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()"
--exec $MYSQL --protocol tcp -uroot --ssl-fp=F1:D0:08:AF:A1:D2:F4:15:79:B4:39:06:41:F4:20:96:F1:90:A9:65 --ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
#
# wrong fingerprint fails even with --disable-ssl-verify-server-cert
#
--echo # mysql --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()"
--error 1
--exec $MYSQL --protocol tcp -uroot --ssl-fp=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33 --disable-ssl-verify-server-cert -e "select test.have_ssl()" 2>&1
drop function have_ssl;