[MDEV-18019] Default test certificate key too small, incompatible with OpenSSL 1.1.0 - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 10.6.0
Component/s: Packaging, Platform Debian, Tests
Labels:
None

Description

After uploading MariaDB 10.3 to Debian experimental I noticed all builds were failing. One of the reasons was the inability of the mysqld process to serve any connections due to this:

SSL error: Unable to get certificate from '/tmp/build/source/mysql-test/std_data/server-cert.pem'

2018-12-16 15:56:57 0 [Warning] Failed to setup SSL

2018-12-16 15:56:57 0 [Warning] SSL error: Unable to get certificate

2018-12-16 15:56:57 0 [Warning] SSL error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

2018-12-16 15:56:57 0 [Note] Server socket created on IP: '127.0.0.1'.

2018-12-16 15:56:57 0 [Note] Reading of all Master_info entries succeded

2018-12-16 15:56:57 0 [Note] Added new Master_info '' to hash table

2018-12-16 15:56:57 0 [Note] /tmp/build/source/builddir/sql/mysqld: ready for connections.

Version: '10.3.11-MariaDB-1~exp1-log'  socket: '/tmp/build/source/builddir/mysql-test/var/tmp/4/mysqld.1.sock'  port: 16060  Debian unstable

Reports online suggest that the new OpenSSL (available in Debian unstable) does not accept the small keysize in our test certificate. See https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html

Attachments

Issue Links

relates to

MDEV-18135 binlog_encryption.encrypted_slave, main.pool_of_threads and connect tests fail in buildbot with SSL error

Open

Activity

Ascending order - Click to sort in descending order

Otto Kekäläinen created issue - 2018-12-16 16:12

Otto Kekäläinen added a comment - 2018-12-16 16:49

I have created a fix for this and it's now patched in Debian. I will upstream that patch soon.

Otto Kekäläinen added a comment - 2018-12-16 16:49 I have created a fix for this and it's now patched in Debian. I will upstream that patch soon.

Otto Kekäläinen made changes - 2018-12-16 16:49

Field	Original Value	New Value
Assignee		Otto Kekäläinen [ otto ]

Otto Kekäläinen added a comment - 2018-12-18 16:03

Fixed downstream in https://salsa.debian.org/mariadb-team/mariadb-10.3/commit/8da43c2e32b0730a3d813b1a637d72574205a16d - I plan to upstream this very soon once I have MariaDB 10.3 in Debian done.

Otto Kekäläinen added a comment - 2018-12-18 16:03 Fixed downstream in https://salsa.debian.org/mariadb-team/mariadb-10.3/commit/8da43c2e32b0730a3d813b1a637d72574205a16d - I plan to upstream this very soon once I have MariaDB 10.3 in Debian done.

Elena Stepanova made changes - 2019-01-04 14:18

Link

This issue relates to MDEV-18135 [ MDEV-18135 ]

Sergei Golubchik made changes - 2019-01-16 13:38

Description

After uploading MariaDB 10.3 to Debian experimental I noticed all builds were failing. One of the reasons was the inability of the mysqld process to serve any connections due to this:

{{
SSL error: Unable to get certificate from '/tmp/build/source/mysql-test/std_data/server-cert.pem'
2018-12-16 15:56:57 0 [Warning] Failed to setup SSL
2018-12-16 15:56:57 0 [Warning] SSL error: Unable to get certificate
2018-12-16 15:56:57 0 [Warning] SSL error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
2018-12-16 15:56:57 0 [Note] Server socket created on IP: '127.0.0.1'.
2018-12-16 15:56:57 0 [Note] Reading of all Master_info entries succeded
2018-12-16 15:56:57 0 [Note] Added new Master_info '' to hash table
2018-12-16 15:56:57 0 [Note] /tmp/build/source/builddir/sql/mysqld: ready for connections.
Version: '10.3.11-MariaDB-1~exp1-log' socket: '/tmp/build/source/builddir/mysql-test/var/tmp/4/mysqld.1.sock' port: 16060 Debian unstable
}}

Reports online suggest that the new OpenSSL (available in Debian unstable) does not accept the small keysize in our test certificate. See https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html

After uploading MariaDB 10.3 to Debian experimental I noticed all builds were failing. One of the reasons was the inability of the mysqld process to serve any connections due to this:

{noformat}
SSL error: Unable to get certificate from '/tmp/build/source/mysql-test/std_data/server-cert.pem'
2018-12-16 15:56:57 0 [Warning] Failed to setup SSL
2018-12-16 15:56:57 0 [Warning] SSL error: Unable to get certificate
2018-12-16 15:56:57 0 [Warning] SSL error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
2018-12-16 15:56:57 0 [Note] Server socket created on IP: '127.0.0.1'.
2018-12-16 15:56:57 0 [Note] Reading of all Master_info entries succeded
2018-12-16 15:56:57 0 [Note] Added new Master_info '' to hash table
2018-12-16 15:56:57 0 [Note] /tmp/build/source/builddir/sql/mysqld: ready for connections.
Version: '10.3.11-MariaDB-1~exp1-log' socket: '/tmp/build/source/builddir/mysql-test/var/tmp/4/mysqld.1.sock' port: 16060 Debian unstable
{noformat}

Reports online suggest that the new OpenSSL (available in Debian unstable) does not accept the small keysize in our test certificate. See https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html

Elena Stepanova made changes - 2019-02-14 14:01

Fix Version/s

10.3 [ 22126 ]

Sergei Golubchik made changes - 2019-03-29 12:04

Fix Version/s

10.4 [ 22408 ]

Otto Kekäläinen added a comment - 2019-03-30 16:23

This was fixed by serg in https://github.com/mariadb/server/commit/9c60535f867678e65ade1258ca10b7d2ee2bdc53 but with only 2048 bit keys.

Otto Kekäläinen added a comment - 2019-03-30 16:23 This was fixed by serg in https://github.com/mariadb/server/commit/9c60535f867678e65ade1258ca10b7d2ee2bdc53 but with only 2048 bit keys.

Otto Kekäläinen added a comment - 2020-04-23 07:24

Related https://github.com/MariaDB/server/pull/1505

Otto Kekäläinen added a comment - 2020-04-23 07:24 Related https://github.com/MariaDB/server/pull/1505

Otto Kekäläinen made changes - 2020-05-28 07:45

Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]

Otto Kekäläinen made changes - 2020-05-28 07:45

Status

Open [ 1 ]

In Progress [ 3 ]

Otto Kekäläinen made changes - 2020-06-06 09:18

Fix Version/s

10.5 [ 23123 ]

Sergei Golubchik added a comment - 2020-08-14 12:49

otto, is this issue fixed? by that commit you've referenced above

Sergei Golubchik added a comment - 2020-08-14 12:49 otto , is this issue fixed? by that commit you've referenced above

Otto Kekäläinen added a comment - 2021-04-11 18:26

Merged https://github.com/MariaDB/server/pull/1505, min RSA key size is now 4096.

Otto Kekäläinen added a comment - 2021-04-11 18:26 Merged https://github.com/MariaDB/server/pull/1505 , min RSA key size is now 4096.

Otto Kekäläinen made changes - 2021-04-11 18:26

Fix Version/s		10.6.0 [ 24431 ]
Fix Version/s	10.6 [ 24028 ]
Resolution		Fixed [ 1 ]
Status	In Progress [ 3 ]	Closed [ 6 ]

Sergei Golubchik made changes - 2021-12-06 21:48

Workflow

MariaDB v3 [ 91268 ]

MariaDB v4 [ 155369 ]

People

Assignee:: Otto Kekäläinen

Reporter:: Otto Kekäläinen

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2018-12-16 16:12

Updated:: 2021-04-11 18:26

Resolved:: 2021-04-11 18:26

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration