Improvements for MySQL via STARTTLS

* labeling is just "experimental"
* use similar functions as in psql
* faster
This commit is contained in:
Dirk Wetter 2019-08-06 20:04:19 +02:00
parent 75a0f14bff
commit 42f2b83a92

View File

@ -10010,7 +10010,7 @@ starttls_nntp_dialog() {
starttls_postgres_dialog() { starttls_postgres_dialog() {
debugme echo "=== starting postgres STARTTLS dialog ===" debugme echo "=== starting postgres STARTTLS dialog ==="
local init_tls=",x00, x00 ,x00 ,x08 ,x04 ,xD2 ,x16 ,x2F" local init_tls=", x00, x00 ,x00 ,x08 ,x04 ,xD2 ,x16 ,x2F"
socksend "${init_tls}" 0 && debugme echo "initiated STARTTLS" && socksend "${init_tls}" 0 && debugme echo "initiated STARTTLS" &&
starttls_io "" S 1 && debugme echo "received ack (="S") for STARTTLS" starttls_io "" S 1 && debugme echo "received ack (="S") for STARTTLS"
local ret=$? local ret=$?
@ -10021,17 +10021,20 @@ starttls_postgres_dialog() {
starttls_mysql_dialog() { starttls_mysql_dialog() {
debugme echo "=== starting mysql STARTTLS dialog ===" debugme echo "=== starting mysql STARTTLS dialog ==="
local login_request=" local login_request="
, 20, 00, 00, 01, # payload_length, sequence_id , x20, x00, x00, x01, # payload_length, sequence_id
85, ae, ff, 00, # capability flags, CLIENT_SSL always set x85, xae, xff, x00, # capability flags, CLIENT_SSL always set
00, 00, 00, 01, # max-packet size x00, x00, x00, x01, # max-packet size
21, # character set x21, # character set
00, 00, 00, 00, 00, 00, 00, 00, # string[23] reserved (all [0]) x00, x00, x00, x00, x00, x00, x00, x00, # string[23] reserved (all [0])
00, 00, 00, 00, 00, 00, 00, 00, x00, x00, x00, x00, x00, x00, x00, x00,
00, 00, 00, 00, 00, 00, 00" x00, x00, x00, x00, x00, x00, x00"
code2network "${login_request}" socksend "${login_request}" 0
# 1 is the timeout value which only MySQL needs starttls_just_read 1 && debugme echo "read succeeded"
starttls_just_read 1 && debugme echo -e "\nreceived server greeting" && # 1 is the timeout value which only MySQL needs. Note, there seems no response whether STARTTLS
starttls_just_send "$NW_STR" "no-lf" && debugme echo "initiated STARTTLS" # succeeded. We could try harder, see https://github.com/openssl/openssl/blob/master/apps/s_client.c
# but atm this seems sufficient as later we will fail if there's no STARTTLS.
# BUT: there seeem to be cases when the handshake fails (8S01Bad handshake --> 30 38 53 30 31 42 61 64 20 68 61 6e 64 73 68 61 6b 65).
# also there's a banner in the reply "<version><somebytes>mysql_native_password"
# TODO: We could detect if the server supports STARTTLS via the "Server Capabilities" # TODO: We could detect if the server supports STARTTLS via the "Server Capabilities"
# bit field, but we'd need to parse the binary stream, with greater precision than regex. # bit field, but we'd need to parse the binary stream, with greater precision than regex.
local ret=$? local ret=$?
@ -17943,7 +17946,7 @@ determine_service() {
out " Service set:$CORRECT_SPACES STARTTLS via " out " Service set:$CORRECT_SPACES STARTTLS via "
out "$(toupper "$protocol")" out "$(toupper "$protocol")"
[[ "$protocol" == mysql ]] && out " -- attention, this is experimental" [[ "$protocol" == mysql ]] && out " (experimental)"
fileout "service" "INFO" "$protocol" fileout "service" "INFO" "$protocol"
[[ -n "$XMPP_HOST" ]] && out " (XMPP domain=\'$XMPP_HOST\')" [[ -n "$XMPP_HOST" ]] && out " (XMPP domain=\'$XMPP_HOST\')"
outln outln
@ -17967,11 +17970,12 @@ determine_sizelimitbug() {
local overflow_cipher2='C0,88' local overflow_cipher2='C0,88'
# For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP) # For STARTTLS protcols not being implemented yet via sockets this is a bypass otherwise it won't be usable at all (e.g. LDAP)
# Fixme: find out whether we can't skip this in general for STARTTLS
[[ "$STARTTLS" =~ ldap ]] && return 0 [[ "$STARTTLS" =~ ldap ]] && return 0
[[ "$STARTTLS" =~ irc ]] && return 0 [[ "$STARTTLS" =~ irc ]] && return 0
debugme echo -n "${FUNCNAME[0]} starting at # of ciphers (excl. 00FF): " debugme echo -n "${FUNCNAME[0]} starting at # of ciphers (excl. 00FF): "
debugme echo "$test_ciphers" | tr ' ' '\n' | wc -l debugme echo "$(tr ' ' '\n' <<< "$test_ciphers" | wc -l)"
# Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practise. Thus # Only with TLS 1.2 offered at the server side it is possible to hit this bug, in practise. Thus
# we assume if TLS 1.2 is not supported, the server has no cipher size limit bug. It still may, # we assume if TLS 1.2 is not supported, the server has no cipher size limit bug. It still may,
# theoretically, but in a regular check with testssl.sh we won't hit this limit with lower protocols. # theoretically, but in a regular check with testssl.sh we won't hit this limit with lower protocols.
@ -18861,7 +18865,7 @@ parse_cmd_line() {
[[ $? -eq 0 ]] && shift [[ $? -eq 0 ]] && shift
case $STARTTLS_PROTOCOL in case $STARTTLS_PROTOCOL in
ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|irc|nntp|postgres|mysql) ;; ftp|smtp|lmtp|pop3|imap|xmpp|telnet|ldap|irc|nntp|postgres|mysql) ;;
ftps|smtps|lmtps|pop3s|imaps|xmpps|telnets|ldaps|ircs|nntps) ;; ftps|smtps|lmtps|pop3s|imaps|xmpps|telnets|ldaps|ircs|nntps|mysqls) ;;
*) tmln_magenta "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2 *) tmln_magenta "\nunrecognized STARTTLS protocol \"$1\", see help" 1>&2
help 1 ;; help 1 ;;
esac esac