April 10, 2014 By Severalnines

In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.

Background

If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: http://heartbleed.com for more details. 

By default, our database deployment script enables SSL encryption for the Apache web server on the Controller host with a generated private SSL key and a self-signed certificate. SSL encryption is used between the UI and the Controller REST API if you have clusters added with HTTPS, which we do by default. The content that is encrypted …

If you’ve been following this blog (my colleague, David Busby, posted about it yesterday) or any tech news outlet in the past few days, you’ve probably seen some mention of the “Heartbleed” vulnerability in certain versions of the OpenSSL library.

So what is ‘Heartbleed’, really?

In short, Heartbleed is an information-leak issue. An attacker can exploit this bug to retrieve the contents of a server’s memory without any need for local access. According to the researchers that discovered it, this can be done without leaving any trace of compromise on the system. In other words, if you’re vulnerable, they can steal your keys and you won’t even notice that they’ve gone missing. I use the word “keys” literally here; by being able to access the contents of the impacted service’s memory, the attacker is …

MySQL clients have long had a –ssl option.  Casual users may think specifying this option will cause clients to secure connections using SSL.  That is not the case:

D:\mysql-5.6.13-winx64>bin\mysql -uroot -P3307 --ssl
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.13-log MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
bin\mysql  Ver 14.14 Distrib 5.6.13, for Win64 (x86_64)

Connection id:          2
Current database:
Current user:           root@localhost
SSL:                    Not in use
...

This behavior is clearly explained in the …

I've blogged before about how complicated setting up SSL with MySQL can be. Since then many bugs have been fixed related to SSL.

But still many people are using unencrypted connections for replication and client connections.

This could be because of possible performance degradation. But then it could be used for only the admin connections.

It could also be because they already use SSH or VPN.

But for many it's because they think it's complicated. This is not necessary. I've created mysslgen which makes it easier to setup SSL. Just run mysslgen.py and then the CA, server and client certificates and keys will be generated for you. The most difficult part it to get python 3.3 or python 2.7 to run on CentOS/RHEL/OEL 6.
If you …

Starting in version 5.7.3 MySQL added SSL support to mysqlbinlog client program. This feature allows system administrators to perform remote binlog queries (using --read-from-remote-server option) over secure connections.
So, the behavior of mysqlbinlog client program using SSL options is now the same as other MySQL client tools, with same SSL options and same SSL defaults. See the References section if you want more information about MySQL SSL options.
Overview
The remote administration of MySQL servers is a very common task as many MySQL servers are deployed in remote hosting facilities or in remotely located data centers.
There are many problems with remote administration of servers. With respect to security, the major concerns are:

• If the traffic between the administrative console and the remote server passes …

This is part two on a two-part series on the performance implications of in-flight data encryption with MySQL. In the first part, I focused specifically on the impact of using MySQL’s built-in SSL support with some rather surprising results. Certainly it was expected that query throughput would be lower with SSL than without, but I was rather surprised by the magnitude of the performance hit incurred at connection setup time. These results naturally lended themselves to some further investigation; in particular, I wanted to compare performance differences between MySQL’s built-in SSL encryption facilities and external encryption technologies, such as SSH tunneling. I’ll also be using this post to address a couple of questions posed in the comments on my original article. So, without further ado….

Test Environment

The …

NOTE: This is part 1 of what will be a two-part series on the performance implications of using in-flight data encryption.

Some of you may recall my security webinar from back in mid-August; one of the follow-up questions that I was asked was about the performance impact of enabling SSL connections. My answer was 25%, based on some 2011 data that I had seen over on yaSSL’s website, but I included the caveat that it is workload-dependent, because the most expensive part of using SSL is establishing the connection. Not long thereafter, I received a request to conduct some more specific benchmarks surrounding SSL usage in MySQL, and today I’m going to show the results.

First, the testing …

After speaking about the topic the Developer Week 2013 in Nürnberg this week, due to some scheduling coincide I repeated it today for our codecentric "Dev-Friday" in which internal or external speakers present some topic to the whole company.

For a while we have been recording these for colleagues on vacation or otherwise occupied during the talk to watch it later. Several of them are available on codecentric's YouTube channel publicly. As of a few moments ago, so is my "Man in the Middle? – No, thank you!" talk on the possibility of – and countermeasures against – man in the middle attacks against SSL connections.

For your convenience, here is the video:



The …

There are different articles on how to setup MySQL with SSL but it’s sometimes difficult to end up with a good simple one. Usually, setting up MySQL SSL is not really a smooth process due to such factors like “it’s not your day”, something is broken apparently or the documentation lies I am going to provide the brief instructions on how to setup MySQL with SSL, SSL replication and how to establish secure connections from the console and scripts showing the working examples.

Quick links:

• Setup SSL on MySQL
• Establish secure connection from console
• Setup SSL replication
• Establish …

I was very pleased to see that the SSL-related MySQL Bug #62743 was just fixed.

Here is the bug for reference:

http://bugs.mysql.com/bug.php?id=62743

In essence, the –ssl-key value was not validated, thus anything could have been specified there.

Your connection would have still been SSL encrypted, which was good at least, but your SSL Key would not have made any difference.

This fix will be included in versions 5.1.66, 5.5.28, 5.6.7, 5.7.0.

For reference, here is the entry that will go into the changelogs:

“The argument to the –ssl-key option was not verified to exist and be
a valid key. The resulting connection used SSL, but the key was not
used.”