Security issues around SSL use - Ralf Hauser - com.mysql.lists.java

4 messages in com.mysql.lists.javaSecurity issues around SSL use

From	Sent On	Attachments
Ralf Hauser	11 Feb 2006 00:58
Ralf Hauser	19 Mar 2006 13:44
Rhino	19 Mar 2006 20:44
Ralf Hauser	29 May 2006 12:35

Subject:	Security issues around SSL use
From:	Ralf Hauser (ralf...@gmx.ch)
Date:	02/11/2006 12:58:21 AM
List:	com.mysql.lists.java

Hi,

Digging deeper into this, I did a first shot at an enhancement of ExportControlled. transformSocketToSSLSocket() as below.

But to make this really secure, I guess a few more puzzle pieces ought to be in place also on the server-side: - an additional listening port that only does SSL connections and only serves SSL-enabled users (RFE http://bugs.mysql.com/bug.php?id=17319) - prevent password guessing (RFE http://bugs.mysql.com/bug.php?id=17318) - limit the usable ciphers in my.cnf or GRANT as already possible per the manual

See for corresponding dbcp requirements: http://issues.apache.org/bugzilla/show_bug.cgi?id=38603 and http://issues.apache.org/bugzilla/show_bug.cgi?id=38614 (and as RFE for connector/J summarizing this: http://bugs.mysql.com/bug.php?id=17320)

Anything I forgot?

Any feedback is welcome!

Ralf

P.S.: Please find below a first quick fix, how I changed ExportControlled.java. Jeremy Wong proposes something slightly different in http://dev.mysql.com/doc/refman/5.1/en/cj-using-ssl.html:

protected static void transformSocketToSSLSocket(MysqlIO mysqlIO) throws CommunicationsException { javax.net.ssl.SSLSocketFactory sslFact = null; String targetSSLsocketFactProv = Security .getProperty("ssl.SocketFactory.provider"); boolean getDefaultFact = false;

try { if (targetSSLsocketFactProv != null) { log .debug("targetSSLsocketFactProv: " + targetSSLsocketFactProv); // new Exception().printStackTrace(); if (targetSSLsocketFactProv.trim().length() > 0) { log.debug("setting targetSSLsocketFactProv: " + targetSSLsocketFactProv); sslFact = (SSLSocketFactory) Class.forName( targetSSLsocketFactProv).newInstance(); // new Exception().printStackTrace(); } else { getDefaultFact = true;

} } else { getDefaultFact = true;

} if (getDefaultFact) { sslFact = (javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory .getDefault(); } mysqlIO.mysqlConnection = sslFact.createSocket( mysqlIO.mysqlConnection, mysqlIO.host, mysqlIO.port, true);

// need to force TLSv1, or else JSSE tries to do a SSLv2 handshake // which MySQL doesn't understand ((javax.net.ssl.SSLSocket) mysqlIO.mysqlConnection) .setEnabledProtocols(new String[] { "TLSv1" }); //$NON-NLS-1$ ((javax.net.ssl.SSLSocket) mysqlIO.mysqlConnection) .startHandshake();

if (mysqlIO.connection.getUseUnbufferedInput()) { mysqlIO.mysqlInput = mysqlIO.mysqlConnection.getInputStream(); } else { mysqlIO.mysqlInput = new BufferedInputStream( mysqlIO.mysqlConnection.getInputStream(), 16384); }

mysqlIO.mysqlOutput = new BufferedOutputStream( mysqlIO.mysqlConnection.getOutputStream(), 16384);

mysqlIO.mysqlOutput.flush(); } catch (IOException ioEx) { throw new CommunicationsException(mysqlIO.connection, mysqlIO.lastPacketSentTimeMs, ioEx); } catch (Exception e) { log.error(e.getMessage()); e.printStackTrace(); throw new CommunicationsException(mysqlIO.connection, mysqlIO.lastPacketSentTimeMs, e); } }