Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18019

Default test certificate key too small, incompatible with OpenSSL 1.1.0

Details

    Description

      After uploading MariaDB 10.3 to Debian experimental I noticed all builds were failing. One of the reasons was the inability of the mysqld process to serve any connections due to this:

      SSL error: Unable to get certificate from '/tmp/build/source/mysql-test/std_data/server-cert.pem'
      2018-12-16 15:56:57 0 [Warning] Failed to setup SSL
      2018-12-16 15:56:57 0 [Warning] SSL error: Unable to get certificate
      2018-12-16 15:56:57 0 [Warning] SSL error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
      2018-12-16 15:56:57 0 [Note] Server socket created on IP: '127.0.0.1'.
      2018-12-16 15:56:57 0 [Note] Reading of all Master_info entries succeded
      2018-12-16 15:56:57 0 [Note] Added new Master_info '' to hash table
      2018-12-16 15:56:57 0 [Note] /tmp/build/source/builddir/sql/mysqld: ready for connections.
      Version: '10.3.11-MariaDB-1~exp1-log'  socket: '/tmp/build/source/builddir/mysql-test/var/tmp/4/mysqld.1.sock'  port: 16060  Debian unstable
      

      Reports online suggest that the new OpenSSL (available in Debian unstable) does not accept the small keysize in our test certificate. See https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html

      Attachments

        Issue Links

          Activity

            I have created a fix for this and it's now patched in Debian. I will upstream that patch soon.

            otto Otto Kekäläinen added a comment - I have created a fix for this and it's now patched in Debian. I will upstream that patch soon.

            Fixed downstream in https://salsa.debian.org/mariadb-team/mariadb-10.3/commit/8da43c2e32b0730a3d813b1a637d72574205a16d - I plan to upstream this very soon once I have MariaDB 10.3 in Debian done.

            otto Otto Kekäläinen added a comment - Fixed downstream in https://salsa.debian.org/mariadb-team/mariadb-10.3/commit/8da43c2e32b0730a3d813b1a637d72574205a16d - I plan to upstream this very soon once I have MariaDB 10.3 in Debian done.
            otto Otto Kekäläinen added a comment - This was fixed by serg in https://github.com/mariadb/server/commit/9c60535f867678e65ade1258ca10b7d2ee2bdc53 but with only 2048 bit keys.
            otto Otto Kekäläinen added a comment - Related https://github.com/MariaDB/server/pull/1505

            otto, is this issue fixed? by that commit you've referenced above

            serg Sergei Golubchik added a comment - otto , is this issue fixed? by that commit you've referenced above

            Merged https://github.com/MariaDB/server/pull/1505, min RSA key size is now 4096.

            otto Otto Kekäläinen added a comment - Merged https://github.com/MariaDB/server/pull/1505 , min RSA key size is now 4096.

            People

              otto Otto Kekäläinen
              otto Otto Kekäläinen
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.