Date: Fri, 12 Jan 2018 15:10:23 +0100 From: Daniël van Eeden <daniel.vaneeden@...king.com> To: dbi-dev@...l.org, oss-security@...ts.openwall.com Subject: DBD::mysql and SSL/TLS Hi, I have some serious concerns about the state of SSL/TLS in DBD::mysql. Issue 1: CVE-2017-10789 isn't fixed https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10789 Issue 2: Using DBD::mysql with MariaDB 10.0 or higher or MySQL 8.0 or higher provides a false sense of security SSL_LAST_VERIFY_VERSION is set to 50799. Any version higher than that silently ignores mysql_ssl_verify_server_cert This can lead to unencrypted connections even with strict SSL settings. Issue 3: If SSL support is unavailable but ssl options are set then these options are silently ignored. issue 4: If compiled against MySQL 5.7 then SSL/TLS is used when available, but can't be disabled. (mysql_ssl=0 is ignored). This makes upgrading to 5.7 more difficult. And 5.7 is needed to get support for TLSv1.1 and TLSv1.2. There is a patch available for this: https://github.com/perl5-dbi/DBD-mysql/pull/114 -- Daniël van Eeden Database Administrator Booking.com B.V. Vijzelstraat 66-80 Amsterdam 1017HL Netherlands Direct +31207033812 [image: Booking.com] <http://www.booking.com/> The world's #1 accommodation site 43 languages, 187+ offices worldwide, 96,000+ global destinations, 1,200,000+ room nights booked every day No booking fees, best price always guaranteed Subsidiary of the Priceline Group (NASDAQ: PCLN)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ