Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-393

TLSv1.2 ciphers are rejected on Windows with Schannel

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.1.1
    • Component/s: None
    • Labels:
      None

      Description

      The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

      https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

      With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. AES256-GCM-SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

      SSL connection error: no cipher match
      

      This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. AES256-SHA).

      However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

      https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

      This problem causes ODBC-230.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              wlad Vladislav Vaintroub
              Reporter:
              GeoffMontee Geoff Montee
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.