Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19475

Add support for OpenSSL configuration files

Details

    • Task
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Won't Fix
    • N/A
    • SSL
    • None

    Description

      OpenSSL allows applications to load OpenSSL configuration files:

      https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_config.html

      https://www.openssl.org/docs/man1.1.1/man3/CONF_modules_load_file.html

      https://www.openssl.org/docs/man1.1.1/man5/config.html

      https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_openssl#sec-Configuring_OpenSSL

      There could be some benefits to changing MariaDB server, so that it supports the ability to load an OpenSSL configuration file.

      For example, since MDEV-14101 is not implemented, the server can't currently be restricted to a specific TLS protocol version. An OpenSSL configuration file would allow users a way to work around that.

      It also allows users the ability to configure algorithms used by OpenSSL.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-14101 Provide option to select TLS protocol version

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-20170 main.tls_version and main.tls_version1 fail in buildbot on RHEL8

          • Major - Major loss of function.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. MDEV-20260 Port the ssl_fips_mode system variable from MySQL

          • Major - Major loss of function.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 4 older comments
            serg Sergei Golubchik added a comment -

            This is strange. What OpenSSL version did you use?

            Because when I set OPENSSL_CONF, I clearly see that it has effect. And both server and client do read it, as strace shows. At least on OpenSSL 1.1.1

            serg Sergei Golubchik added a comment - This is strange. What OpenSSL version did you use? Because when I set OPENSSL_CONF, I clearly see that it has effect. And both server and client do read it, as strace shows. At least on OpenSSL 1.1.1
            GeoffMontee Geoff Montee (Inactive) added a comment -

            I think I performed my previous test on RHEL 7, so it would have been using OpenSSL 1.0.2.

            GeoffMontee Geoff Montee (Inactive) added a comment - I think I performed my previous test on RHEL 7, so it would have been using OpenSSL 1.0.2.
            serg Sergei Golubchik added a comment -

            I didn't try that myself, but buildbot did, with 1.0.1k, for example, on debian jessie: https://buildbot.askmonty.org/buildbot/builders/kvm-deb-jessie-amd64/builds/8984 — this build failed tests, because I made mtr to set OPENSSL_CONF to a file that OpenSSL 1.0.1k could not parse (I was trying to fix an ubuntu focal problem, so in the next push I amended the commit to only use that file on OpenSSL 1.1.1+).

            serg Sergei Golubchik added a comment - I didn't try that myself, but buildbot did, with 1.0.1k, for example, on debian jessie: https://buildbot.askmonty.org/buildbot/builders/kvm-deb-jessie-amd64/builds/8984 — this build failed tests, because I made mtr to set OPENSSL_CONF to a file that OpenSSL 1.0.1k could not parse (I was trying to fix an ubuntu focal problem, so in the next push I amended the commit to only use that file on OpenSSL 1.1.1+).
            GeoffMontee Geoff Montee (Inactive) added a comment -

            Hi serg,

            Maybe I wasn't able to reproduce it previously due to user error. I don't remember how I performed the test, and I can't really try to repeat the test at the moment. Please feel free to close this task if you have already confirmed that OpenSSL configuration files are supported. Thanks!

            GeoffMontee Geoff Montee (Inactive) added a comment - Hi serg , Maybe I wasn't able to reproduce it previously due to user error. I don't remember how I performed the test, and I can't really try to repeat the test at the moment. Please feel free to close this task if you have already confirmed that OpenSSL configuration files are supported. Thanks!
            serg Sergei Golubchik added a comment -

            I think https://github.com/MariaDB/server/commit/15502e5e3334 confirms it, so closing.

            serg Sergei Golubchik added a comment - I think https://github.com/MariaDB/server/commit/15502e5e3334 confirms it, so closing.

            People

              serg Sergei Golubchik
              GeoffMontee Geoff Montee (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.