In my previous blogs I told you to enable SSL/TLS and configure it to check the CA. So I followed my advice and did all that. Great!
So the --ssl-mode
setting was used a few times as a
solution. And it has a setting we didn't use yet:
VERIFY_IDENTITY
. In older MySQL versions you can use
--ssl-verify-server-cert
. Both turn on hostname
verification.
The attack
Get any certificate which is trusted by the configured CA, this can for example be a certificate from a development machine. And use that with a man-in-the-middle proxy.
Then the client:
- Checks if SSL is uses (
--ssl-mode=REQUIRED
) - Verify if the certificate is signed by a trusted CA
(
--ssl-mode=VERIFY_CA
)
Both checks succeed. But the certificate might be for testhost01.example.com and the database server might be prod-websitedb-123.example.com. …
[Read more]