Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-393

TLSv1.2 ciphers are rejected on Windows with Schannel

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.0.8
    • 3.1.1
    • None
    • None

    Description

      The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

      https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

      With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. AES256-GCM-SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

      SSL connection error: no cipher match

      This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. AES256-SHA).

      However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

      https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

      This problem causes ODBC-230.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. ODBC-230 SSLCIPHER doesn't seem to work on Windows

          • Major - Major loss of function.
          • Closed
          relates to

          Task - A task that needs to be done. CONC-398 IANA cipher names are not accepted with Schannel

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open

          Task - A task that needs to be done. CONC-403 Disable TLS v1.0

          • Major - Major loss of function.
          • Open

          Task - A task that needs to be done. CONC-412 Allow TLS1.2 in Schannel

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-12190 YASSL isn't able to negotiate TLS version correctly

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            GeoffMontee Geoff Montee (Inactive) created issue -
            GeoffMontee Geoff Montee (Inactive) made changes -
            Field Original Value New Value
            GeoffMontee Geoff Montee (Inactive) made changes -
            Description The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

            https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

            With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. TLS_RSA_WITH_AES_256_GCM_SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

            {noformat}
            SSL connection error: no cipher match
            {noformat}

            This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (i.e. TLS_RSA_WITH_AES_256_CBC_SHA).

            However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

            https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

            This problem causes ODBC-230.             		The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

            https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

            With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. TLS_RSA_WITH_AES_256_GCM_SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

            {noformat}
            SSL connection error: no cipher match
            {noformat}

            This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. TLS_RSA_WITH_AES_256_CBC_SHA).

            However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

            https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

            This problem causes ODBC-230.
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            Description The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

            https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

            With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. TLS_RSA_WITH_AES_256_GCM_SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

            {noformat}
            SSL connection error: no cipher match
            {noformat}

            This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. TLS_RSA_WITH_AES_256_CBC_SHA).

            However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

            https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

            This problem causes ODBC-230.             		The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

            https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

            With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. AES256-GCM-SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

            {noformat}
            SSL connection error: no cipher match
            {noformat}

            This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. AES256-SHA).

            However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

            https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

            This problem causes ODBC-230.
            georg Georg Richter made changes -
            Fix Version/s 3.1.1 [ 23612 ]
            georg Georg Richter made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            Assignee Georg Richter [ georg ] Vladislav Vaintroub [ wlad ]
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Closed [ 6 ]
            julien.fritsch Julien Fritsch made changes -
            Workflow MariaDB connectors [ 93376 ] MariaDB v4 [ 161162 ]

            People

              wlad Vladislav Vaintroub
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.