Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-19823

MariaDB 10.4.6 break SSL/TLS connections from Sequel Pro (macOS MySQL client)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.4.6
    • N/A
    • Documentation, SSL

    Description

      We're running Ubuntu 18.04 LTS with MariaDB 10.3.16 configured with SSL/TLS support and `REQUIRE SSL` on all accounts. We have a lots of Mac clients accessing our MariaDB servers and most of them are using nightly builds Sequel Pro, arguably the most popular MySQL client in the macOS world. (Nightly builds because the Sequel Pro project is struggling with release management and maintenance).

      Today I attempted to upgrade one of our MariaDB servers to MariaDB 10.4.6 only to find out that Sequel Pro no longer was able to connect with SSL/TLS (only establishing an SSL/TLS session and verifying the remote peer certificate; the server is not using client cert authentication).

      Unfortunately I no longer have the exact error message at hand that Sequel Pro reported but it said something about the connection failed and that the SSL error number was unknown (or zero).

      Typically this means that the SSL/TLS handshake failed, and most often this is related to cipher suite selection and/or key-exchanges.

      Here's the relevant SSL/TLS configuration on our MariaDB server:

      [mysqld]
      ssl = On
      ssl-ca = /etc/mysql/xxx-mysql-ca.pem
      ssl-cert = /etc/mysql/replica-XYZ.example.com.crt
      ssl-key = /etc/mysql/replica-XYZ.example.com.key

      We use TLS extensively in our network to ensure privacy (encryption in transit), authentication and integrity, so the SSL/TLS issues in MySQL clients are a blocker for us.

      I noticed there was a mention of the SSL/TLS library in the most recent release notes:

      I also note that you link to a page on your SSL/TLS support (kudos!) here:

      It seems that you've switched to wolfSSL from yaSSL (good riddance!) in MariaDB 10.4.6. While I haven't tried earlier versions of the 10.4 series, perhaps the change to wolfSSL might be related to the issues with Sequel Pro. (That doesn't mean I'd like you to switch back to yaSSL because most likely the problem is related to the selection of cipher suites and/or keyexchange.)

      FWIW, over the years we've run into many SSL/TLS related issues with both MySQL servers and MySQL clients. MySQL's use of yaSSL has been a problem (it's under developed and doesn't support modern TLS very well). On the Windows side, SChannel has a bug with respect to DH (Diffie-Hellman) key-exchanges and some cipher suites (I think this is mentioned in Georg's comment in MDEV-13492). Default installations of HeidiSQL often experience SSL/TLS handshake failures with until you replace the shipped libmysql.dll with a specific version and drop the bundled libmariadb.dll file (see e.g. https://www.heidisql.com/forum.php?t=19494 and https://github.com/HeidiSQL/HeidiSQL/issues/519).

      It would be great if the SSL/TLS issues with popular MySQL clients (Sequel Pro on macOS and HeidiSQL on Windows) could be worked out so that it's possible to connect to MariaDB 10.4. (Note that I didn't test HeidiSQL with MariaDB 10.4.)

      Perhaps any workarounds found for this issue can be posted here?

      Attachments

        Activity

          People

            greenman Ian Gilfillan
            ZPtbrdqkIEdBg Throw Away
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.