Feature Request: Use TLS when a CA is provided in the binding

[jzlwang]

Recent versions of MySQL v2 allow the Operator to enable TLS on the server side. This is expressed to the user in that the bindings for both app binding and service keys will have an additional entry, a TLS certificate authority.

If that's present in the binding, then it would be great if the mysql plugin would attempt to connect to the database over TLS. This is better because it means that the network path between the Diego container and the database is additionally encrypted, whereas the current implementation only encrypts traffic between the desktop client and the container.

[andreasf]

Hi Judy, this would be a cool feature! I'll take a closer look when I'm back from vacation.

…

On Sat, Sep 15, 2018, 08:35 Judy Wang ***@***.***> wrote: Recent versions of MySQL v2 allow the Operator to enable TLS on the server side. This is expressed to the user in that the bindings for both app binding and service keys will have an additional entry, a TLS certificate authority. If that's present in the binding, then it would be great if the mysql plugin would attempt to connect to the database over TLS. This is better because it means that the network path between the Diego container and the database is additionally encrypted, whereas the current implementation only encrypts traffic between the desktop client and the container. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#12>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAd8oDIDCB0HPXKcj8TSS0CILvc5OBc7ks5ubEtagaJpZM4WqHZe> .

[andreasf]

With a MariaDB mysql, --ssl-verify-server-cert fails because the common name does not match the hostname provided to mysql when tunneling:

$ cf mysql mydb
ERROR 2026 (HY000): SSL connection error: Validation of SSL server certificate failed
FAILED

Interestingly, the Oracle mysql client does not complain when running it with the equivalent SSL mode.

I might verify the hostname on the plugin side instead.

[andreasf]

Turns out that MySQL doesn't use TLS as a layer below the application protocol, but they baked it right in: https://dev.mysql.com/doc/internals/en/connection-phase.html

That means there is no simple way to terminate TLS and verify the certificate chain and hostname in the plugin. I'd have to implement a proxy that understands at least part of the MySQL protocol.

Given that verifying the certificate chain works and that the CA is private, would it be a big risk to not verify that the DB hostname matches the certificate CN? The unmitigated risk I see is that

• if an attacker were able to place a rogue DB at the given location (usually in a private network)
• and obtained a pair of private key and cert signed by the CA with a different hostname than the DB
• then the client would not notice

If the attacker had a key and cert for the same hostname or could sign certs as the private root CA, the client would not be able to find out even with CN verification.

[andreasf]

Could you test whether the behavior implemented in master works for you?

Build instructions are here: https://github.com/andreasf/cf-mysql-plugin#building