Skip to content

BUG27434751: Add a TLS/SSL option to verify server name #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 2.2.3-maint
Choose a base branch
from
Open

BUG27434751: Add a TLS/SSL option to verify server name #1

wants to merge 1 commit into from

Conversation

erolatreston
Copy link
Owner

To prevent man-in-the-middle attacks, MySQL clients should connect using TLS
and verify the server name against the server certificate's common name (CN)
and subject alternative names (SANs).

This patch adds a new connection option ssl_verify_identity to perform this
verification in the pure Python implementation, and also changes the behavior
of the C extension implementation, which previously was performing this
verification by default.

A test was added for regression.

(cherry picked from commit 069bc67)

@nmariz @erolatreston
BUG27434751: Add a TLS/SSL option to verify server name
c0d0787 
To prevent man-in-the-middle attacks, MySQL clients should connect using TLS
and verify the server name against the server certificate's common name (CN)
and subject alternative names (SANs).

This patch adds a new connection option `ssl_verify_identity` to perform this
verification in the pure Python implementation, and also changes the behavior
of the C extension implementation, which previously was performing this
verification by default.

A test was added for regression.

(cherry picked from commit 069bc67)
@erolatreston
Copy link
Owner Author

@nmariz Since the mysql-failover is not available in the mysql-shell yet, we need the CVE-2019-2435 fixed in the 2.*.* stream of the mysql-connector-python. Is it possible to release 2.2.4 that will include your fix?

If that is not possible, can you provide some directions on how to build/release mysql-connector-python?

When I try building manually, the build fails with

[appian@mariadb mysql-connector-python]$ python ./setup.py build
running build
running build_py
running build_ext
# Python architecture: 64-bit
# Python ARCH_64BIT: True
Unable to find Protobuf include directory.

I downloaded and installed protoc-3.8.0-linux-x86_64.zip but I still get the same error.
Do I need to extract this into a particular directory on the machine?

@nmariz
Copy link

nmariz commented Jul 1, 2019

@erolatreston Hi. You should upgrade to 8.0.x. It's compatible with 2.2.x and includes more fixes and improvements.

The easy and recommended way of installing Connector/Python is via pip:

pip install mysql-connector-python

If still want to backport the patch and build yourself, you can find the instructions here: https://dev.mysql.com/doc/dev/connector-python/8.0/installation.html#installing-connector-python-from-source
But again, I don't recommend it, using 8.0.x is the best choice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erolatreston @nmariz