Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-417

Windows clients using Schannel often encounter error SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 3.0.8, 3.1.0, 3.1.5
    • 3.1.6
    • None
    • None

    Description

      Windows clients that use Schannel often encounter the following error:

      SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid

      MariaDB Connector/C doesn't actually print the error message text, so users actually see this less understandable error message:

      Unknown SSL error (0x80090308)

      As part of this fix, maybe SEC_E_INVALID_TOKEN should be added to the switch statement with a more reasonable error message in ma_schannel_set_sec_error , so that users have a easier time understanding what this means.

      https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.0/libmariadb/secure/ma_schannel.c#L32

      CONC-418 is also relevant to improving this error message.

      In MDEV-13492, it was speculated that the cause may be that when the server is using yaSSL, the server may not be able to perform the DH handshake properly. I don't think this is the cause, because some users are seeing this issue while not using yaSSL in the server, and while also not using ciphers that use the DH algorithm.

      In CONC-391, it was speculated that the cause may be that the client may need to be upgraded to a newer Windows version. I don't think this is the cause, because some users are seeing this issue while using an up-to-date Windows 10.

      It seems that we still need to determine the root cause.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. CONC-418 Use FormatMessage to get error string for unknown Schannel error codes

          • Major - Major loss of function.
          • Closed

          Task - A task that needs to be done. CONC-432 Use GnuTLS for Windows builds instead of Schannel

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. CONC-391 Unknown SSL error - MariaDB

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-13492 main.ssl_connect failed with 2026: Unknown SSL error (0x80090308)

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-13726 main.ssl_timeout, main.ssl_7937 failed (sporadically) in buildbot, unknown SSL error (0x80090308)

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            GeoffMontee Geoff Montee (Inactive) created issue -
            GeoffMontee Geoff Montee (Inactive) made changes -
            Field Original Value New Value
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            Description Windows clients that use Schannel often encounter the following error:

            {noformat}
            SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
            {noformat}

            MariaDB Connector/C doesn't actually print the error message text, so users actually see this less understandable error message:

            {noformat}
            Unknown SSL error (0x80090308)
            {noformat}

            In MDEV-13492, it was speculated that the cause may be that when the server is using yaSSL, the server may not be able to perform the DH handshake properly. I don't think this is the cause, because some users are seeing this issue while *not* using yaSSL in the server, and while also *not* using ciphers that use the DH algorithm.

            In CONC-391, it was speculated that the cause may be that the client may need to be upgraded to a newer Windows version. I don't think this is the cause, because some users are seeing this issue while using an up-to-date Windows 10.

            It seems that we still need to determine the root cause.             		Windows clients that use Schannel often encounter the following error:

            {noformat}
            SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
            {noformat}

            MariaDB Connector/C doesn't actually print the error message text, so users actually see this less understandable error message:

            {noformat}
            Unknown SSL error (0x80090308)
            {noformat}

            As part of this fix, maybe SEC_E_INVALID_TOKEN should be added to the switch statement with a more reasonable error message in ma_schannel_set_sec_error , so that users have a easier time understanding what this means.

            https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.0/libmariadb/secure/ma_schannel.c#L32

            In MDEV-13492, it was speculated that the cause may be that when the server is using yaSSL, the server may not be able to perform the DH handshake properly. I don't think this is the cause, because some users are seeing this issue while *not* using yaSSL in the server, and while also *not* using ciphers that use the DH algorithm.

            In CONC-391, it was speculated that the cause may be that the client may need to be upgraded to a newer Windows version. I don't think this is the cause, because some users are seeing this issue while using an up-to-date Windows 10.

            It seems that we still need to determine the root cause.
            GeoffMontee Geoff Montee (Inactive) made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            Description Windows clients that use Schannel often encounter the following error:

            {noformat}
            SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
            {noformat}

            MariaDB Connector/C doesn't actually print the error message text, so users actually see this less understandable error message:

            {noformat}
            Unknown SSL error (0x80090308)
            {noformat}

            As part of this fix, maybe SEC_E_INVALID_TOKEN should be added to the switch statement with a more reasonable error message in ma_schannel_set_sec_error , so that users have a easier time understanding what this means.

            https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.0/libmariadb/secure/ma_schannel.c#L32

            In MDEV-13492, it was speculated that the cause may be that when the server is using yaSSL, the server may not be able to perform the DH handshake properly. I don't think this is the cause, because some users are seeing this issue while *not* using yaSSL in the server, and while also *not* using ciphers that use the DH algorithm.

            In CONC-391, it was speculated that the cause may be that the client may need to be upgraded to a newer Windows version. I don't think this is the cause, because some users are seeing this issue while using an up-to-date Windows 10.

            It seems that we still need to determine the root cause.             		Windows clients that use Schannel often encounter the following error:

            {noformat}
            SEC_E_INVALID_TOKEN (0x80090308) - The token supplied to the function is invalid
            {noformat}

            MariaDB Connector/C doesn't actually print the error message text, so users actually see this less understandable error message:

            {noformat}
            Unknown SSL error (0x80090308)
            {noformat}

            As part of this fix, maybe SEC_E_INVALID_TOKEN should be added to the switch statement with a more reasonable error message in ma_schannel_set_sec_error , so that users have a easier time understanding what this means.

            https://github.com/MariaDB/mariadb-connector-c/blob/v3.1.0/libmariadb/secure/ma_schannel.c#L32

            CONC-418 is also relevant to improving this error message.

            In MDEV-13492, it was speculated that the cause may be that when the server is using yaSSL, the server may not be able to perform the DH handshake properly. I don't think this is the cause, because some users are seeing this issue while *not* using yaSSL in the server, and while also *not* using ciphers that use the DH algorithm.

            In CONC-391, it was speculated that the cause may be that the client may need to be upgraded to a newer Windows version. I don't think this is the cause, because some users are seeing this issue while using an up-to-date Windows 10.

            It seems that we still need to determine the root cause.
            GeoffMontee Geoff Montee (Inactive) made changes -
            Priority Major [ 3 ] Critical [ 2 ]
            GeoffMontee Geoff Montee (Inactive) made changes -
            Richard Richard Stracke made changes -
            GeoffMontee Geoff Montee (Inactive) made changes -
            Affects Version/s 3.1.5 [ 24016 ]
            GeoffMontee Geoff Montee (Inactive) made changes -
            Fix Version/s 3.1.6 [ 24033 ]
            Fix Version/s 3.1 [ 23223 ]
            Assignee Georg Richter [ georg ] Vladislav Vaintroub [ wlad ]
            Resolution Fixed [ 1 ]
            Status Open [ 1 ] Closed [ 6 ]
            julien.fritsch Julien Fritsch made changes -
            Workflow MariaDB connectors [ 97335 ] MariaDB v4 [ 161171 ]

            People

              wlad Vladislav Vaintroub
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.