Skip to content

Support SSL Request V2 packet #1342

New issue
New issue
Open
Open
Support SSL Request V2 packet#1342
Labels
enhancement
@bgrainger

Description

@bgrainger
bgrainger
opened on Jul 9, 2023

If mariadb-corporation/mariadb-connector-c#227 is accepted, then MySqlConnector should also support the new TLS handshake.

Exact details are in that case and subject to change, but at a high level:

  • Server exposes "supports SSL Request V2" bit
  • Client sends new two-byte SSL Request V2 packet
  • Client should (must?) verify CA to avoid MitM
  • Client sends handshake response with "supports SSL Request V2" bit set

Activity

bgrainger
added
enhancement
on Jul 9, 2023
dlenski

dlenski commented on Jul 11, 2023

@dlenski
dlenski
on Jul 11, 2023 · edited by dlenski
Contributor

Thanks for creating this!

As I just noted in mariadb-corporation/mariadb-connector-c#227 (comment)

I also moved the CLIENT_CAN_SSL_V2 capability bit from the MariaDB extensions (1ULL << 37) to the shared MySQL/MariaDB capability bits (1ULL << 28).

MySQL is affected by these vulnerabilities as well, and if we want to enable a better TLS handshake for all client/server combinations, this capability bit needs to be sent between all client/server combinations.

I believe this will be necessary for non-MariaDB-specific clients like yours to receive the appropriate capability bit from the server (Server exposes "supports SSL Request V2" bit ).

dlenski

dlenski commented on Jul 11, 2023

@dlenski
dlenski
on Jul 11, 2023
Contributor
  • Client sends handshake response with "supports SSL Request V2" bit set

As it's currently implemented in mariadb-corporation/mariadb-connector-c#227 and MariaDB/server#2684, the client's initial (plaintext) packet will contain only the CLIENT_SSL bit.

However, in the post-TLS packet, the client should send the CLIENT_CAN_SSL_V2 bit, because this will allow the server to detect a downgrade attack in which a MITM has forced the client not to use the SSL V2 handshake.

https://github.com/MariaDB/server/pull/2684/files#diff-df544694418bef1c4bc6cdc5211ca133e7ad4d31901f16d0fdee8df6e4debe89R12792-R12813

bgrainger

bgrainger commented on Jul 11, 2023

@bgrainger
bgrainger
on Jul 11, 2023
MemberAuthor
  • Client sends handshake response with "supports SSL Request V2" bit set

However, in the post-TLS packet, the client should send the CLIENT_CAN_SSL_V2 bit

Yes, that's what I meant in my issue. The handshake packet is now only sent after TLS is negotiated (because what would have been the first "handshake response" is now replaced with "SSL Request V2").

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @dlenski@bgrainger

        Issue actions
          Support SSL Request V2 packet · Issue #1342 · mysql-net/MySqlConnector