3

I'm using MySQL .NET connector from MySQL official site. I'm trying to make a safe SSL connection from my C# program to a Mysql db. Mysql server allows to connect with SSL. have_ssl variable is set to yes and ca-cert, server-cert and server-key are specified.

Permissions for the user are:

'GRANT USAGE ON *.* TO \'logowanie\'@\'%\' IDENTIFIED BY PASSWORD \'*...\' REQUIRE SSL'
'GRANT SELECT ON `db`.`table1` TO \'logowanie\'@\'%\''

So I assume, that this user cannot login without SSL? Am I right?

My connection string in C# program looks like that:

"server=127.0.0.1;uid=logowanie;pwd=log1;database=ewidencja;SslMode=Required";

See that this connection string doesn't have any paths to certificate files! It only has "SSLMode=Required" option. Is it possible to make SSL encrypted connection without any other SSL options?

And the user is able to login and make some select command on table1. So I assume this connection is SSL encrypted? How can I check whether this connection is SSL encrypted to be 100% sure?

oleksii
  • 35,458
  • 16
  • 93
  • 163
Paweł Adamczyk
  • 223
  • 3
  • 6
  • 14
  • 1
    Try this Stackoverflow link looks like something that you are looking for.. http://stackoverflow.com/questions/5880503/mysql-connection-using-odbc-5-1-with-ssl – MethodMan Jan 17 '13 at 23:25
  • Ok, But it doesn't solve my problem. I want to know if my connection instance provides ssl encryption with only one option: "SslMode=Required"? Is that even possible, or if this connection is still without SSL? HOW TO CHECK THAT? – Paweł Adamczyk Jan 17 '13 at 23:32
  • can't you check or add the following in your connection string `Encrypt=True;TrustServerCertificate=True"` – MethodMan Jan 17 '13 at 23:41
  • 1
    You must be a little fuzzy on the meaning of the word "required". – Sammitch Jan 17 '13 at 23:42
  • check this link MSDN http://msdn.microsoft.com/en-us/library/ms189067%28v=sql.105%29.aspx – MethodMan Jan 17 '13 at 23:43
  • As u can see, I have SslMode=Required in my conn string. Also, I checked it with Encrpt=True and it worked. But - does it mean for sure that connection is encrypted? i didn't even specified paths to client cert and key! – Paweł Adamczyk Jan 17 '13 at 23:55
  • What *else* would 'SslMode=Required' mean? – user207421 Jan 18 '13 at 22:53

4 Answers4

8

Posting my answer from https://stackoverflow.com/a/46609559/492336:

You can execute this SQL statement from inside the MySqlConnection: SHOW SESSION STATUS LIKE 'Ssl_cipher', and it will show you whether the connection is encrypted.

Example code:

var connection = new MySqlConnection(ConfigurationManager.AppSettings["Test"]);
connection.Open();
var command = new MySqlCommand("SHOW SESSION STATUS LIKE \'Ssl_cipher\'", connection);
MySqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
    Console.WriteLine($"{reader.GetString(0)}: {reader.GetString(1)}");
}
sashoalm
  • 75,001
  • 122
  • 434
  • 781
  • 1
    This is a good answer. The Ssl_cipher gives the cipher algorithm in use for the connection or an empty string if SSL is not used, as stated in: https://dev.mysql.com/doc/refman/5.7/en/x-plugin-monitoring-status-variables.html#statvar_Mysqlx_ssl_cipher I suggest you to change the "GetString(0)" for "GetString(1)", as the value of Ssl_cipher is given in the second column. – Carlos Pérez Chávez Apr 16 '18 at 17:33
  • @CarlosPérezChávez Done. Thanks for the suggestion. – sashoalm Apr 17 '18 at 07:56
3

How can I check whether this connection is SSL encrypted to be 100% sure?

Install Wireshark, capture the traffic and you'll be 100% sure whether it's encrypted or not.

Miljen Mikic
  • 14,765
  • 8
  • 58
  • 66
1

Openssl https://www.openssl.org/ ships with a tool called "s_client" that can be used to test SSL servers. This is available for *nix, cygwin, and Win32.

Sample Usage

$ openssl s_client -connect servername:port -CAfile /path/to/ca.pem -debug -showcerts

There are a myriad of options such as -pause, -state, etc. which you may find useful for tracking SSL through its setup and teardown.

Security

Use Wireshark as Miljen has pointed out.

Here are some tips for wireshark

  1. Collect the traffic using Wireshark
  2. Verify that the contents of the packets look like random noise (random bytes).
  3. This output should be sufficient to check that you have turned on SSL.

If you're looking to test whether your SSL code works properly, you could also check whether you can interoperate with other SSL implementations.

Did you hardcode the public key of the server properly, or properly check the server cert to make sure it corresponds to your server and not some imposter? Did you enable client authentication? Did you set the list of acceptable ciphersuites in a reasonable way? Did you use TLS 1.2? Are you aware that TLS only secures the communication channel, but you still need to make sure that the endpoints are secure, e.g., from various malicious attacks?

That might get you started for testing here are some tips

For testing see https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29

This link contains great stuff there, but it is by no means exhaustive. These tests are geared for HTTPS, but they should work for any SSL implementation since it is analyzing the SSL protocol, not the application-level protocol on top.

Lee Stott
  • 761
  • 9
  • 8
0

On a CLI, you can run this command to check if the data is encrypted or not.

sudo tcpdump -l -i eth0 -w - src or dst port 3306 | strings

Toan Nguyen
  • 11,263
  • 5
  • 43
  • 59