[MDEV-6975] Implement TLS protocol - JIRA

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Fix Version/s: 10.0.15, 5.5.41
Component/s: SSL
Labels:
None

Description

Support for TLS protocols may well be there, but it is not documented; if present, it has no options to control it.

Currently MariaDB claims to support SSLv3. We would like to move away from SSLv3 due to the POODLE vulnerability.

In testing, MariaDB client/server currently cannot connect using any of the TLS protocols. Testing was performed on MariaDB 5.5.32-1 on CentOS 6.x x86_64, compiled against OpenSSL.

We used the technique of trying ciphers that are not supported in SSLv2 or SSLv3, which leaves the TLS 1.x ciphers - http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/ . All connections failed with "ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)".

Ideally, MariaDB should have...

a configuration value to disable SSLv2/v3
a clear statement of which TLS protocol variants are known to work (perhaps qualified by SSL library used – with yaSSL, with OpenSSL...)

thank you!

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

mysql-tls-ver-test.c
4 kB
2014-11-19 23:35

Issue Links

relates to

MDEV-7547 Include TLS tests in the test suite

Closed

links to

MySQL Bug #75239

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Martin Langhoff added a comment - 2014-10-29 18:25

A simple test is to pick a cipher that is only available for the TLS protocols, and try to use it from the client side:

 mysql -h $(hostname -f )   --ssl-cert client-cert.pem --ssl-key client-key.pem -u testuser -ppassword --ssl --ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384   test_db
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

List Ciphers, filtering out sslv2/3, based on ciphers available in OpenSSL v1.0.1e

echo ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5 | sed 's/:/\n/g' | sed 's/Ssl_cipher_list\s//g' | while read sspec; do openssl ciphers -v "$sspec" | grep -v 'SSLv\(2\|3\)' 2>/dev/null  ; done 
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

Now combine the two:

echo ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5 | sed 's/:/\n/g' | sed 's/Ssl_cipher_list\s//g' | while read sspec; do SPEC=`openssl ciphers -v "$sspec" 2>/dev/null | grep -v 'SSLv\(2\|3\)' | awk '{print $1}'`; [[ "$sspec" == "$SPEC" ]] && (echo -n $sspec; mysql --ssl-cipher=$sspec --ssl-cert client-cert.pem --ssl-key client-key.pem -u testuser -ppassword --ssl -e QUIT ) && echo "$sspec OK"; done 
ECDHE-RSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDHE-ECDSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDHE-RSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDHE-ECDSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-DSS-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-RSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-RSA-AES256-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-DSS-AES256-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-RSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-ECDSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-RSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-ECDSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
AES256-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDHE-RSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDHE-ECDSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDHE-RSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDHE-ECDSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-DSS-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-RSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-RSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
DHE-DSS-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-RSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-ECDSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-RSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
ECDH-ECDSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

If you relax the restrictions (i.e.: allow sslv3) the SSLv3 ciphers succeed.

Show

Martin Langhoff added a comment - 2014-10-29 18:25 A simple test is to pick a cipher that is only available for the TLS protocols, and try to use it from the client side: mysql -h $(hostname -f ) --ssl-cert client-cert.pem --ssl-key client-key.pem -u testuser -ppassword --ssl --ssl-cipher=ECDHE-RSA-AES256-GCM-SHA384 test_db ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) List Ciphers, filtering out sslv2/3, based on ciphers available in OpenSSL v1.0.1e echo ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5 | sed 's/:/\n/g' | sed 's/Ssl_cipher_list\s //g' | while read sspec; do openssl ciphers -v "$sspec" | grep -v 'SSLv$2\|3$' 2>/dev/ null ; done ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256 ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384 ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256 ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256 ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 Now combine the two: echo ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5 | sed 's/:/\n/g' | sed 's/Ssl_cipher_list\s //g' | while read sspec; do SPEC=`openssl ciphers -v "$sspec" 2>/dev/ null | grep -v 'SSLv$2\|3$' | awk '{print $1}'`; [[ "$sspec" == "$SPEC" ]] && (echo -n $sspec; mysql --ssl-cipher=$sspec --ssl-cert client-cert.pem --ssl-key client-key.pem -u testuser -ppassword --ssl -e QUIT ) && echo "$sspec OK" ; done ECDHE-RSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDHE-ECDSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDHE-RSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDHE-ECDSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-DSS-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-RSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-RSA-AES256-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-DSS-AES256-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-RSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-ECDSA-AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-RSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-ECDSA-AES256-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) AES256-GCM-SHA384ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) AES256-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDHE-RSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDHE-ECDSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDHE-RSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDHE-ECDSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-DSS-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-RSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-RSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) DHE-DSS-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-RSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-ECDSA-AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-RSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) ECDH-ECDSA-AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) AES128-GCM-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) AES128-SHA256ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) If you relax the restrictions (i.e.: allow sslv3) the SSLv3 ciphers succeed.

8 older comments

Hide

Permalink

Martin Langhoff added a comment - 2014-11-19 19:27

Great to hear. At my end, given that MariaDB does not support SSLv3, but only TLSv1, a docs update indicating so would be satisfactory.

Unlocking support for newer versions of TLS is of course a good outcome too.

Show

Martin Langhoff added a comment - 2014-11-19 19:27 Great to hear. At my end, given that MariaDB does not support SSLv3, but only TLSv1, a docs update indicating so would be satisfactory. Unlocking support for newer versions of TLS is of course a good outcome too.

Hide

Permalink

Tomas Hoger added a comment - 2014-11-19 19:35

If users should be able to disable specific TLS protocol versions, there will need to be a separate configuration option for that (similar to httpd's SSLProtocol or nginx's ssl_protocols). Cipher string in general can not do that. Examples:

In the past, you could use 'DEFAULT:!SSLv2' to practically disable SSLv2 and leave SSLv3 and TLSv1 enabled, because SSLv2 ciphers were noted used by SSLv3 or later.

However, the similar 'DEFAULT:!SSLv3' can not be used to disable SSLv3 and only enable TLSv1.0 and later.

Users may also ask for a way to disable TLSv1.0 and only enable 1.1 or later because of BEAST. The 'DEFAULT:!SSLv3' somewhat does the trick, but it only enables ciphers new in TLS 1.2.

There may be a little immediate need now, but it seems to be the way to go long term.

Show

Tomas Hoger added a comment - 2014-11-19 19:35 If users should be able to disable specific TLS protocol versions, there will need to be a separate configuration option for that (similar to httpd's SSLProtocol or nginx's ssl_protocols). Cipher string in general can not do that. Examples: In the past, you could use 'DEFAULT:!SSLv2' to practically disable SSLv2 and leave SSLv3 and TLSv1 enabled, because SSLv2 ciphers were noted used by SSLv3 or later. However, the similar 'DEFAULT:!SSLv3' can not be used to disable SSLv3 and only enable TLSv1.0 and later. Users may also ask for a way to disable TLSv1.0 and only enable 1.1 or later because of BEAST. The 'DEFAULT:!SSLv3' somewhat does the trick, but it only enables ciphers new in TLS 1.2. There may be a little immediate need now, but it seems to be the way to go long term.

Hide

Permalink

Tomas Hoger added a comment - 2014-11-19 23:35

A simple test program that attempts to establish TLS connection with MySQL / MariaDB and prints TLS session information similar to what's printed by openssl s_client.

Show

Tomas Hoger added a comment - 2014-11-19 23:35 A simple test program that attempts to establish TLS connection with MySQL / MariaDB and prints TLS session information similar to what's printed by openssl s_client.

Hide

Permalink

Tomas Hoger added a comment - 2014-11-20 15:09

For posterity, this commit now disables SSLv2 and SSLv3 as discussed above:

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4369

Thank you!

Show

Tomas Hoger added a comment - 2014-11-20 15:09 For posterity, this commit now disables SSLv2 and SSLv3 as discussed above: http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4369 Thank you!

Hide

Permalink

Daniël van Eeden added a comment - 2015-01-19 22:08

Related bug for Support for TLSv1.1 and TLSv1.2 in MySQL

Show

Daniël van Eeden added a comment - 2015-01-19 22:08 Related bug for Support for TLSv1.1 and TLSv1.2 in MySQL

Implement TLS protocol

Details

Description

Gliffy Diagrams

Attachments

Attachments

Issue Links

Activity

People

Dates

Time Tracking

Agile