Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
-
3.1.11
-
Client is Windows 10, Server is MariaDB 10.5.8 on Ubuntu 20.04
Description
The MariaDB connector on Windows seems unable to connect to a MariaDB server running on Ubuntu. Although the error (coming from MS Secure Channel) suggests a cipher mismatch, inspection of the ciphers supported on both sides shows 14 ciphers in common, one of which was selected by the server in the Server Hello.
The MySQL connector/C connects fine from Windows to the same MariaDB.
Inspection of the packets using Wireshark did not show an obvious problem. The Client Hello and Server Hello seemed ok (to a non-TLS expert). Stepping through the MariaDB Connector code on the Windows side also didn't show any obvious problem.
I've reached the limits of the debugging that I can do in this context. Are there other errors which MS will put into the "SEC_E_ALGORITHM_MISMATCH" return code? Are there any other known problems with MariaDB Connector/C on Windows? Any other ideas?
Wireshark files and (example self-signed) certificates are available.
To replicate:
(1) Have MariaDB 10.5.8 running on Ubuntu 20.04
In the config file have three lines
ssl-ca=/path/to/rootCA2.crt
ssl-cert=/path/to/sqlserver2.crt
ssl-key=/path/to/sqlserver2.key
add new user as
CREATE USER 'testuser'@'%' IDENTIFIED BY 'ChangeMe' REQUIRE X509;
(2) On Windows, use the command
"C:\Program Files\MariaDB 10.5\bin\mysql.exe" --ssl-cert=C:\Path\to\sqlclient2.crt --ssl-ca=C:\Path\to\rootCA2.crt --ssl-key=C:\Path\to\sqlclient2.key --user=testuser -pChangeMe --host=<ubuntu_hostname> --protocol=tcp --port=3306 --default-character-set=utf8
This should give the error
ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)
Apologies if there is anything wrong with these settings, but I feel I have tried as many permutations as I can think of.
Thanks.
Attachments
Issue Links
- duplicates
-
MDEV-25798 Windows SChannel clients fail to connect to OpenSSL servers with "No cipher match"
-
- Closed
-
- is duplicated by
-
CONC-639 Unable to connect to SSL using client certificates SEC_E_ALGORITHM_MISMATCH
-
- Closed
-
- relates to
-
CONC-639 Unable to connect to SSL using client certificates SEC_E_ALGORITHM_MISMATCH
-
- Closed
-
There appears to be some kind of bug in openssl. According to google, Ubuntu made the decision to compile with non-default settings for openssl, to make it appear more secure.
https://github.com/Ensembl/ensembl-rest/issues/427 discusses one bug, but I'm not sure we're tripping over it. It looks like openssl itself is more lax about the strict requirements it imposes on client certificates, with SECLEVEL=2, than other SSL implementations are.
The workaround
Now, for all people who deal with that problem Ubuntu 20.04, this is one workaround
There are some variations on CipherString workaround, a popular discussion in https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level.
This has something with the client certificate, and how it was created, but I frankly have no idea what that exactly can be.