Uploaded image for project: 'MariaDB Connector/J'
  1. MariaDB Connector/J
  2. CONJ-721

Connector-J missing TLSv1.3 TLS_CHACHA20_POLY1305_SHA256 ciphersuite support; other v1.3 suites ok

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not a Bug
    • Affects Version/s: 2.4.2, 2.4.3
    • Fix Version/s: N/A
    • Component/s: protocol, SSL, TLS
    • Labels:
      None

      Description

      running

      	mariadb --version
      		mariadb  Ver 15.1 Distrib 10.4.7-MariaDB, for Linux (x86_64) using readline 5.1
      

      and, Connector-J built from head

      git log | head
      	commit 8b2f79cf1bf77684d924018f51807d8bd3be5c49
      	Author: rusher <diego.dupin@gmail.com>
      	Date:   Mon Jun 17 14:42:12 2019 +0200
       
      	    [misc] correction test for multi-insert value
       
      	commit c160500cc2e7eb423c37cc72f2c95151e67954f5
      	Merge: 94465b67 c9a86cf7
      	Author: rusher <diego.dupin@gmail.com>
      	Date:   Mon Jun 17 14:27:07 2019 +0200
      

      with a MDB SSL config of

      	[server]
      	tls_version = TLSv1.3
      	...
       
      	[client]
      	tls_version = TLSv1.3
      	...
      

      and an openssl 1.1.1c config defining cipher prefence order,

      	/etc/ssl/openssl.cnf
      		...
      		[system_default_sect]
      		Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
      		Options = ServerPreference,PrioritizeChaCha
      

      on mysql client connect, the connection correctly uses TLSv1.3 protocol, and the preferred/spec'd cipher

      	mysql << EOF
      	 SHOW SESSION STATUS LIKE 'Ssl_version';
      	 SHOW SESSION STATUS LIKE 'Ssl_cipher';
      	EOF
       
      		Variable_name   Value
      		Ssl_version     TLSv1.3
      		Ssl_cipher      TLS_CHACHA20_POLY1305_SHA256
      

      OTOH, checking JDBC connection with sqlline, using MDB Connector-J 2.4.2's provided class,

      	java -cp "/usr/local/src/sqlline/target/*:/usr/local/etc/mariadb/connector-j/*" sqlline.SqlLine .
       
      		!connect jdbc:mysql://db.pgnd.lan:3306/mysql?&useSSL=true&enabledSslProtocolSuites=TLSv1.3&enabledSslCipherSuites=TLS_CHACHA20_POLY1305_SHA256&verifyServerCertificate=true&disableSslHostnameVerification=false&serverSslCert=/etc/ssl/myCA.pem.pem&jdbcCompliantTruncation=false&autoReconnect=true testuser "testpass"
      

      connection FAILs,

      	Error: Unsupported SSL cipher 'TLS_CHACHA20_POLY1305_SHA256'. Supported ciphers : TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV (state=,code=0)
      

      If I switch to ANOTHER TLSv1.3 ciphersuite option,

      	-	TLS_CHACHA20_POLY1305_SHA256
      	+	TLS_AES_256_GCM_SHA384
      

      re-checking JDBC connection with sqlline,,

      	java -cp "/usr/local/src/sqlline/target/*:/usr/local/etc/mariadb/connector-j/*" sqlline.SqlLine .
       
      		!connect jdbc:mysql://db.pgnd.lan:3306/mysql?&useSSL=true&enabledSslProtocolSuites=TLSv1.3&enabledSslCipherSuites=TLS_AES_256_GCM_SHA384&verifyServerCertificate=true&disableSslHostnameVerification=false&serverSslCert=/etc/ssl/myCA.pem.pem&jdbcCompliantTruncation=false&autoReconnect=true testuser "testpass"
      

      now connects,

      	0: jdbc:mysql://db.pgnd.lan:>
      

      and uses TLSv1.3

      	SHOW SESSION STATUS LIKE 'Ssl_version';
       
      		Variable_name   Value
      		Ssl_version     TLSv1.3
      

      AND the preferred/spec'd cipher

      	SHOW SESSION STATUS LIKE 'Ssl_cipher';
       
      		Variable_name   Value
      		Ssl_cipher      TLS_AES_256_GCM_SHA384
      

        Attachments

          Activity

            People

            Assignee:
            diego dupin Diego Dupin
            Reporter:
            pgnd pgnd
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.