[CONC-393] TLSv1.2 ciphers are rejected on Windows with Schannel - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.8
Fix Version/s: 3.1.1
Component/s: None
Labels:
None

Description

The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. AES256-GCM-SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

SSL connection error: no cipher match

This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. AES256-SHA).

However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

This problem causes ~~ODBC-230~~.

Attachments

Issue Links

causes

ODBC-230 SSLCIPHER doesn't seem to work on Windows

Closed

relates to

CONC-398 IANA cipher names are not accepted with Schannel

Open

CONC-403 Disable TLS v1.0

Open

CONC-412 Allow TLS1.2 in Schannel

Closed

MDEV-12190 YASSL isn't able to negotiate TLS version correctly

Closed

Activity

Geoff Montee (Inactive) added a comment - 2019-06-04 07:56

This should be fixed after ~~CONC-412~~.

Geoff Montee (Inactive) added a comment - 2019-06-04 07:56 This should be fixed after CONC-412 .

People

Assignee:: Vladislav Vaintroub

Reporter:: Geoff Montee (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019-03-20 00:41

Updated:: 2019-10-08 19:27

Resolved:: 2019-06-04 07:56

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.