Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-748

Can't set a cipher to use with clients linked against GnuTLS

Details

    Description

      When using a generic binary tarball install where the server is linked against WolfSSL instead of OpenSSL, and the client against GnuTLS, trying to pass a --ssl-cipher option fails with No or insufficient priorities were set:

      # mysql --user=user --host=127.0.0.1 --ssl --ssl-cipher=TLS_AES_128_GCM_SHA256
      		 
      ERROR 2026 (HY000): TLS/SSL error: No or insufficient priorities were set.

      I could not really find any useful information on this GnuTLS error message. I assume that this might be about GnuTLS using different cipher naming conventions, maybe?

      Attachments

        Activity

          serg Sergei Golubchik added a comment - - edited

          The syntax for GnuTLS priority strings is described here: https://gnutls.org/manual/html_node/Priority-Strings.html

          Internally libmariadb converts cipher names into the priority string as (see here)

          NONE:+VERS-TLS-ALL:+SIGN-ALL:+COMP-NULL:+CURVE-ALL

          and appending colon-separated cipher names.

          So your error likely means that GnuTLS uses different cipher names, indeed.

          Looking here: https://www.gnutls.org/manual/html_node/Supported-ciphersuites.html one could conclude that there is a ciphersuite named TLS_AES_128_GCM_SHA256 but one cannot specify a ciphersuite name in the priority string.

          serg Sergei Golubchik added a comment - - edited The syntax for GnuTLS priority strings is described here: https://gnutls.org/manual/html_node/Priority-Strings.html Internally libmariadb converts cipher names into the priority string as (see here ) NONE:+VERS-TLS-ALL:+SIGN-ALL:+COMP-NULL:+CURVE-ALL and appending colon-separated cipher names. So your error likely means that GnuTLS uses different cipher names, indeed. Looking here: https://www.gnutls.org/manual/html_node/Supported-ciphersuites.html one could conclude that there is a ciphersuite named TLS_AES_128_GCM_SHA256 but one cannot specify a ciphersuite name in the priority string.

          People

            georg Georg Richter
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.