Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-393

TLSv1.2 ciphers are rejected on Windows with Schannel

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.0.8
    • 3.1.1
    • None
    • None

    Description

      The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

      https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

      With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. AES256-GCM-SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

      SSL connection error: no cipher match

      This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. AES256-SHA).

      However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

      https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

      This problem causes ODBC-230.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. ODBC-230 SSLCIPHER doesn't seem to work on Windows

          • Major - Major loss of function.
          • Closed
          relates to

          Task - A task that needs to be done. CONC-398 IANA cipher names are not accepted with Schannel

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Task - A task that needs to be done. CONC-403 Disable TLS v1.0

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. CONC-412 Allow TLS1.2 in Schannel

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-12190 YASSL isn't able to negotiate TLS version correctly

          • Major - Major loss of function.
          • Closed

          Activity

            People

              wlad Vladislav Vaintroub
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.