[MDEV-15341] Disable TLS session tickets - Jira

XML

Word

Printable

Details

Type: Task
Status: Closed (View Workflow)
Priority: Minor
Resolution: Won't Fix
Fix Version/s: N/A
Component/s: SSL
Labels:
None

Sprint:
10.2.14

Description

By default the RFC5077 (TLS session ticket) extension is enabled in MariaDB server.

When connecting via Windows SChannel (which uses session tickets by default) the handshake fails sometimes, since the server isn't able to send a session ticket (see 2nd screenshot: Instead of sending the session ticket, server sends a 92 byte packet, containing the error message "Bad handshake").

Proposal: Fix or disable session tickets in server.

How to repeat:

C:\>mysql -uuser -ppassword -hmariadbtls2.cvz6gk5op1wk.us-east-1.rds.amazonaws.com --ssl -e"select @@version_ssl_library";

+--------------------------------+

| @@version_ssl_library          |

+--------------------------------+

| OpenSSL 1.0.1k-fips 8 Jan 2015 |

+--------------------------------+

C:\>mysql -uuser -ppassword -hmariadbtls2.cvz6gk5op1wk.us-east-1.rds.amazonaws.com --ssl -e"select @@version_ssl_library";

ERROR 2026 (HY000): Unknown SSL error (0x80090308)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

no_ticket.patch
0.4 kB
2018-02-17 10:10
Screenshot from 2018-02-17 10-23-52.png
623 kB
2018-02-17 09:59
Screenshot from 2018-02-17 10-49-39.png
617 kB
2018-02-17 09:59

Issue Links

relates to

MDEV-10803 connection timeout doesn't work for SSL connections

Open

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Georg Richter

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2018-02-17 10:11

Updated:: 2018-08-31 14:19

Resolved:: 2018-08-31 14:18

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.