Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
3.1, 3.2(EOL), 3.3, 3.4
-
None
Description
Hello,
I have set up a secure SSL connection between a Mariadb client and a Mariadb server. I use HeidiSQL client (compiled with MariaDB Connector C).
When upgrading the server from OpenSSL 2.x to the latest version of OpenSSL 3.x, the client will refuse to connect and closes the connection with error: SEC_E_ALGORITHM_MISMATCH.
The logs of the server are not helpful either. The server only sees an aborted connection from the client.
Aborted connection 3 to db: 'unconnected' user: 'unauthenticated' host: '192.168.1.61' (This connection closed normally without authentication). |
I initially submitted a ticket to HeidiSQL team, but the problem was not related:
https://github.com/HeidiSQL/HeidiSQL/issues/1426
Here another user complains for the same reasons and exact same symptoms, with a lot more details:
https://github.com/HeidiSQL/HeidiSQL/issues/1768
Note that HeidiSQL uses the version of MariaDB C Connector linked with SChannel.
I have submitted an issue to OpenSSL as well and explained the problems in great details here:
https://github.com/openssl/openssl/issues/20138
From there, it looks like for some reason the client is unable to find a common signature algorithm with the server. Can this be a misusage of SChannel?
Please find attached the Wireshark capture (same as Openssl GitHub issue above #20138)
Note: this is probably a duplicate from: CONC-527
And even though the solution proposed works, using a less secure cipher level in OpenSSL is not an acceptable solution.
With all the new evidences gathered in the investigations above, I hope we can finally find the culprit and fix once and for all 
Thanks a lot, best regards
Attachments
Issue Links
Activity
A possible reason might be the deprecation of SCHANNEL_CRED structure, which was deprecated since Windows 10 1809 and needs to be replaced by SCH_CREDENTIALS
I filed a new task CONC-653 (TLSv1.3 support in Schannel) which will hopefully also solve this issue.
Hi,
with a c/connector based tool, is there any temporary solution to access via ssl from windows?
Hello,
I have tested this successfully with MySQL C connector 8.4.0 which fixes this issue.
Maybe this helps to track down where the issue comes from?
Also for reference: This was fixed in HeidiSQL yesterday by using libmysql from MySQL 8.4.0 and there were some other minor changes required.
See the new comment https://github.com/HeidiSQL/HeidiSQL/issues/1768#issuecomment-2135832359
It is really a duplicate . I reopened, CONC-527 after some investigations, I found there are some ways that influence TLS handshake in a way that it can please Ubuntu's OpenSSL, without modifying its SECURITY_LEVEL. Suggest to monitor CONC-527 instead of this one.
Ah, and MySQL Connector/C has much-much easier life, because they are on OpenSSL everywhere, also on Windows. Schannel and CryptoApi are very sparsely documented compared to that.
Hello, any news on this issue please?