svn commit: r392140 - head/databases/mysql56-server
Mark Felder
feld at feld.me
Fri Jul 17 10:28:21 UTC 2015
> On Jul 17, 2015, at 04:56, Alex Dupre <ale at freebsd.org> wrote:
>
> Erwin Lansing wrote:
>>> URL: https://svnweb.freebsd.org/changeset/ports/392140
>>>
>>> Log:
>>> Update to 5.6.25 release.
>>
>> Does this by any change fix this vulnerability?
>
> No, probably they are not going to fix this "vulnerability" because,
> even if it wasn't a great security choice and in fact it changed in
> mysql 5.7, it was the intended and documented behavior:
>
>
>> For MySQL client programs, this option permits but does not require the client to connect to the server using SSL. Therefore, this option is not sufficient in itself to cause an SSL connection to be used. For example, if you specify this option for a client program but the server has not been configured to enable SSL connections, the client falls back to an unencrypted connection.
>
And yet they advertise this option as a solution for preventing MITM attacks:
> MYSQL_OPT_SSL_VERIFY_SERVER_CERT (argument type: my_bool *)
>
> Enable or disable verification of the server’s Common Name value in its
> certificate against the host name used when connecting to the server.
> The connection is rejected if there is a mismatch. This feature can be
> used to prevent man-in-the-middle attacks. Verification is disabled by default.
Which of course is useless if it happily falls back to non-SSL...
More information about the svn-ports-head
mailing list