Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-721

Connector-J missing TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 ciphersuite support; other v1.3 suites ok

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Not a Bug
    • 2.4.2, 2.4.3
    • N/A
    • protocol, SSL, TLS
    • None

    Description

      running

      	mariadb --version
      		 
      		mariadb  Ver 15.1 Distrib 10.4.7-MariaDB, for Linux (x86_64) using readline 5.1

      and, Connector-J built from head

      git log | head
      		 
      	commit 8b2f79cf1bf77684d924018f51807d8bd3be5c49
      		 
      	Author: rusher <diego.dupin@gmail.com>
      		 
      	Date:   Mon Jun 17 14:42:12 2019 +0200
      		 
       
      		 
      	    [misc] correction test for multi-insert value
      		 
       
      		 
      	commit c160500cc2e7eb423c37cc72f2c95151e67954f5
      		 
      	Merge: 94465b67 c9a86cf7
      		 
      	Author: rusher <diego.dupin@gmail.com>
      		 
      	Date:   Mon Jun 17 14:27:07 2019 +0200

      with a MDB SSL config of

      	[server]
      		 
      	tls_version = TLSv1.3
      		 
      	...
      		 
       
      		 
      	[client]
      		 
      	tls_version = TLSv1.3
      		 
      	...

      and an openssl 1.1.1c config defining cipher prefence order,

      	/etc/ssl/openssl.cnf
      		 
      		...
      		 
      		[system_default_sect]
      		 
      		Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
      		 
      		Options = ServerPreference,PrioritizeChaCha

      on mysql client connect, the connection correctly uses TLSv1.3 protocol, and the preferred/spec'd cipher

      	mysql << EOF
      		 
      	 SHOW SESSION STATUS LIKE 'Ssl_version';
      		 
      	 SHOW SESSION STATUS LIKE 'Ssl_cipher';
      		 
      	EOF
      		 
       
      		 
      		Variable_name   Value
      		 
      		Ssl_version     TLSv1.3
      		 
      		Ssl_cipher      TLS_CHACHA20_POLY1305_SHA256

      OTOH, checking JDBC connection with sqlline, using MDB Connector-J 2.4.2's provided class,

      	java -cp "/usr/local/src/sqlline/target/*:/usr/local/etc/mariadb/connector-j/*" sqlline.SqlLine .
      		 
       
      		 
      		!connect jdbc:mysql://db.pgnd.lan:3306/mysql?&useSSL=true&enabledSslProtocolSuites=TLSv1.3&enabledSslCipherSuites=TLS_CHACHA20_POLY1305_SHA256&verifyServerCertificate=true&disableSslHostnameVerification=false&serverSslCert=/etc/ssl/myCA.pem.pem&jdbcCompliantTruncation=false&autoReconnect=true testuser "testpass"

      connection FAILs, 

      	Error: Unsupported SSL cipher 'TLS_CHACHA20_POLY1305_SHA256'. Supported ciphers : TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV (state=,code=0)

      If I switch to ANOTHER TLSv1.3 ciphersuite option,

      	-	TLS_CHACHA20_POLY1305_SHA256
      		 
      	+	TLS_AES_256_GCM_SHA384

      re-checking JDBC connection with sqlline,,

      	java -cp "/usr/local/src/sqlline/target/*:/usr/local/etc/mariadb/connector-j/*" sqlline.SqlLine .
      		 
       
      		 
      		!connect jdbc:mysql://db.pgnd.lan:3306/mysql?&useSSL=true&enabledSslProtocolSuites=TLSv1.3&enabledSslCipherSuites=TLS_AES_256_GCM_SHA384&verifyServerCertificate=true&disableSslHostnameVerification=false&serverSslCert=/etc/ssl/myCA.pem.pem&jdbcCompliantTruncation=false&autoReconnect=true testuser "testpass"

      now connects,

      	0: jdbc:mysql://db.pgnd.lan:>

      and uses TLSv1.3

      	SHOW SESSION STATUS LIKE 'Ssl_version';
      		 
       
      		 
      		Variable_name   Value
      		 
      		Ssl_version     TLSv1.3

      AND the preferred/spec'd cipher

      	SHOW SESSION STATUS LIKE 'Ssl_cipher';
      		 
       
      		 
      		Variable_name   Value
      		 
      		Ssl_cipher      TLS_AES_256_GCM_SHA384

      Attachments

        Activity

          People

            diego dupin Diego Dupin
            pgnd pgnd
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.