PostgreSQL and MySQL connectors support sslmode=verify-full

[izgeri]

verify-full is equivalent to VERIFY_IDENTITY as stated in the MySQL docs:

VERIFY_IDENTITY: Like VERIFY_CA, but additionally perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client:

AC:

• perform host name identity verification by checking the host name the client uses for connecting to the server against the identity in the certificate that the server sends to the client

[izgeri]

Note - there was a request to get this fixed in #922

[izgeri]

Today we briefly looked into what it would take to get this implemented. We noticed the two commented lines:
https://github.com/cyberark/secretless-broker/blob/latest/internal/app/secretless/handlers/ssl/ssl.go#L61-L62

and wanted to validate whether simply uncommenting them would get this working e2e. It doesn't appear to have worked.

To try to get it working, I cloned the latest branch, uncommented these two lines, and ran ./bin/build_darwin.

I spun up a MySQL instance in a Docker container with:

docker run -d \
  -p 3307:3306 \
  --name mysql \
  -e MYSQL_ROOT_PASSWORD=myrootpassword \
  -e MYSQL_DATABASE=mydb \
  -e MYSQL_USER=myuser \
  -e MYSQL_PASSWORD=mypassword \
  mysql:5

and copied the ca.pem, server-cert.pem, and server-key.pem files from /var/lib/mysql into my local dir.

Then I ran ./dist/darwin/amd64/secretless-broker -f secretless.yml where my secretless config was

version: "2"
services:
  test-verify-full:
    protocol: mysql
    listenOn: tcp://localhost:3306
    credentials:
      host: localhost
      port: 3307
      username: myuser
      password: mypassword
      sslmode: verify-full
      sslrootcert:
        from: file
        get: ca.pem
      sslcert:
        from: file
        get: server-cert.pem
      sslkey:
        from: file
        get: server-key.pem

I tried to run mysql -h 127.0.0.1 -P 3306 --ssl-mode=DISABLED, but I got the error

ERROR: 2000 (HY000): tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config

Replacing verify-full with verify-ca got me into the DB.

[porjo]

@izgeri the reason your test failed is the host value is not present in the options parameter passed into NewDbSSLMode.

I've tested by hard coding the hostname at ssl.go#L62 to my MySQL hostname. That works - no error, and the connection is encrypted (verified by packet dump).

I also tested the hostname verification by changing host to an alias that doesn't match the name in the SSL certificate, and got error:

ERROR 2000 (HY000): x509: certificate is valid for <good hostname>, not <bad hostname>

[sgnn7]

@porjo Keeping my comment from here in mind about master vs latest branch, we may not be able to get this fixed up very quickly in the new refactor but we are accepting PRs for this release and the new one as well :)

[izgeri]

@porjo thanks for digging into this more! cc @doodlesbykumbi who originally suggested just uncommenting the o["host"] line - we should be able to dig into this in the next week or so to figure out how to get host into the options so that this mode works.

Since this appears to be a pretty small change that we need to make that will resolve this ticket, I'm hopeful we can potentially even get this change in as part of the next tagged release! I'll keep you posted here, though.