Date: Fri, 17 Jul 2015 05:28:17 -0500 From: Mark Felder <feld@feld.me> To: Alex Dupre <ale@freebsd.org> Cc: Erwin Lansing <erwin@FreeBSD.org>, svn-ports-head@freebsd.org, svn-ports-all@freebsd.org, ports-committers <ports-committers@freebsd.org>, ports-secteam@freebsd.org Subject: Re: svn commit: r392140 - head/databases/mysql56-server Message-ID: <E673D813-358D-43E1-B5E6-96F25C466291@feld.me> In-Reply-To: <55A8D138.2050901@FreeBSD.org> References: <201507151349.t6FDn5Sf079974@svnmir.geo.freebsd.org> <20150717081711.GS63119@droso.dk> <55A8D138.2050901@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jul 17, 2015, at 04:56, Alex Dupre <ale@freebsd.org> wrote: >=20 > Erwin Lansing wrote: >>> URL: https://svnweb.freebsd.org/changeset/ports/392140 >>>=20 >>> Log: >>> Update to 5.6.25 release. >>=20 >> Does this by any change fix this vulnerability? >=20 > No, probably they are not going to fix this "vulnerability" because, > even if it wasn't a great security choice and in fact it changed in > mysql 5.7, it was the intended and documented behavior: >=20 >=20 >> For MySQL client programs, this option permits but does not require = the client to connect to the server using SSL. Therefore, this option is = not sufficient in itself to cause an SSL connection to be used. For = example, if you specify this option for a client program but the server = has not been configured to enable SSL connections, the client falls back = to an unencrypted connection.=20 >=20 And yet they advertise this option as a solution for preventing MITM = attacks: > MYSQL_OPT_SSL_VERIFY_SERVER_CERT (argument type: my_bool *)=20 > > Enable or disable verification of the server=92s Common Name value in = its=20 > certificate against the host name used when connecting to the server.=20= > The connection is rejected if there is a mismatch. This feature can be=20= > used to prevent man-in-the-middle attacks. Verification is disabled by = default. Which of course is useless if it happily falls back to non-SSL...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E673D813-358D-43E1-B5E6-96F25C466291>