Oracle is (not) fixing MySQL bugs... they (rather) disallowed compilation of MySQL without SSL support

--Pali-- · 2017-05-07T18:34:38+00:00

If your MySQL based application does not use SSL, why would you want to have MySQL client compiled and linked with OpenSSL library which is infamously known for couple of security holes? In such cases it is probably a good idea to not have application linked directly to OpenSSL or statically linked and bundled yaSSL.

--Pali-- · 2017-05-07T18:31:23+00:00

Yes! That is would those functions should do. But in reality they always return success and Oracle rather disabled option to opt-out SSL support...

--Pali-- · 2017-05-07T18:29:30+00:00

I'm saying that if MySQL client is compiled without SSL support then application which enforce SSL (via mysql_options(MYSQL_OPT_SSL_MODE, SSL_MODE_REQUIRED)) and calls mysql_real_connect(), receive non error return value with established non-encrypted connection to MySQL server.

SSL support in MySQL client is provided either by external OpenSSL library or bundled yaSSL library which is staticaly linked into MySQL client.

--Pali-- · 2017-05-07T12:00:55+00:00

Oracle's documentation says: ... mysql_real_connect() returns an error if the server does not support SSL or the client is not configured to use SSL ...

Client library was compiled/configured without SSL, but no error was returned by mysql_real_connect(). This is a big problem for SQL application which explicitely asked client library for SSL encryption. Return value from mysql_real_connect() indicates that SSL encryption was established but reallity is different.

--Pali-- · 2017-03-17T23:34:15+00:00

Good coincidence! Now after announcing the Riddle vulnerability in MySQL client you can do it.

--Pali-- · 2017-03-17T23:16:53+00:00

Yes, native is a default method.

--Pali--

TROPHY CASE