[MDEV-22221] Official binary compiled with WolfSSL doesn't support TLS 1.3 and AES-GCM cipher - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.4.12
Fix Version/s: 10.4.21, 10.5.12, 10.6.4
Component/s: SSL
Labels:
None
Environment:
Tested on:
Windows 10 1809 17763.1131 Official 10.4.12 MSI installer
Fedora 31 in Docker on Debian 10 Linux 4.19.0 Official 10.4.12 Binary tarball
(wolfSSL Version 4.3.0)

Description

Config 1:

ssl_cert=/etc/mysql/ssl/db.crt

ssl_key=/etc/mysql/ssl/db.key

tls_version=TLSv1.3

OpenSSL 1.1.1 s_client test:

openssl s_client -connect 127.0.0.1:3306 -status -tlsextdebug -starttls mysql < /dev/null 2>&1

CONNECTED(00000003)

140674569278592:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:

mysql client test:

/usr/local/mysql/bin/mysql -h 127.0.0.1 -u root --ssl-ca=/etc/ssl/certs/ca-bundle.crt

ERROR 2026 (HY000): SSL connection error: A packet with illegal or unsupported version was received.

(Always fail if only TLS 1.3 is enabled)

Config 2

ssl_cert=/etc/mysql/ssl/db.crt

ssl_key=/etc/mysql/ssl/db.key

tls_version=TLSv1.2

ssl_cipher=ECDHE-RSA-AES256-GCM-SHA384

mysqld error log

2020-04-11 15:03:03 0 [Warning] Failed to setup SSL

2020-04-11 15:03:03 0 [Warning] SSL error: Failed to set ciphers to use

While all these configs work perfectly for Official DEB package compiled with OpenSSL 1.1.1

Attachments

Issue Links

is duplicated by

MDEV-25799 tls_version=TLSv1.3 does not work with WolfSSL based server builds

Closed

links to

github pr 1501 - WIP

Activity

Ascending order - Click to sort in descending order

View 5 older comments

Daniel Black added a comment - 2020-05-02 01:46

On the non-windows server side, the openssl build has TLSv1.3 now. So should we aim to deliver that with wolfssl while disabling the TLSv1.3 on Windows?

Wolfssl TLSv1.3 8k client certificate support just got fixed upstream (https://github.com/wolfSSL/wolfssl/pull/2933).

So options:

Wait for next major release 4.5.0 in a couple of months (currently wolfssl submodule is on 4.3.0 and very upstream recently released 4.4.0)
Update submodule to the commit 390f066 (13 commits after 4.4.0 release https://github.com/wolfSSL/wolfssl/compare/v4.4.0-stable...390f066)

I looked for a hook that could detect a 8k client certificate however CallbackRsaVerify was called too late.

Which mariadb release branch should be targeted for these changes?

Daniel Black added a comment - 2020-05-02 01:46 On the non-windows server side, the openssl build has TLSv1.3 now. So should we aim to deliver that with wolfssl while disabling the TLSv1.3 on Windows? Wolfssl TLSv1.3 8k client certificate support just got fixed upstream ( https://github.com/wolfSSL/wolfssl/pull/2933 ). So options: Wait for next major release 4.5.0 in a couple of months (currently wolfssl submodule is on 4.3.0 and very upstream recently released 4.4.0) Update submodule to the commit 390f066 (13 commits after 4.4.0 release https://github.com/wolfSSL/wolfssl/compare/v4.4.0-stable...390f066 ) I looked for a hook that could detect a 8k client certificate however CallbackRsaVerify was called too late. Which mariadb release branch should be targeted for these changes?

Vladislav Vaintroub added a comment - 2020-05-02 09:46

Do all openssl builds support TLSv1.3?

Usually, we take major releases. If there is something truly important, I guess an exception is possible.

The submodule changes go into lowest applicable version, which would be 10.4

Vladislav Vaintroub added a comment - 2020-05-02 09:46 Do all openssl builds support TLSv1.3? Usually, we take major releases. If there is something truly important, I guess an exception is possible. The submodule changes go into lowest applicable version, which would be 10.4

Daniel Black added a comment - 2020-05-03 02:39

note: openssl-1.1.1 introduced tlsv1.3 - https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ (and https://github.com/openssl/openssl/blob/master/CHANGES.md#changes-between-110i-and-111-11-sep-2018).

Daniel Black added a comment - 2020-05-03 02:39 note: openssl-1.1.1 introduced tlsv1.3 - https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ (and https://github.com/openssl/openssl/blob/master/CHANGES.md#changes-between-110i-and-111-11-sep-2018 ).

Otto Kekäläinen added a comment - 2020-10-27 08:24

Side note: Downstream in Debian the release team finally gave us premission to use OpenSSL and thus WolfSSL (ssl=bundled) was now dropped for MariaDB 10.5 in Debian and OpenSSL introduced, and along with it support for TLSv1.3. Ref: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/ca2574aa88434d1c49456c677b7dcb904902daaf

Otto Kekäläinen added a comment - 2020-10-27 08:24 Side note: Downstream in Debian the release team finally gave us premission to use OpenSSL and thus WolfSSL (ssl=bundled) was now dropped for MariaDB 10.5 in Debian and OpenSSL introduced, and along with it support for TLSv1.3. Ref: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/ca2574aa88434d1c49456c677b7dcb904902daaf

Vladislav Vaintroub added a comment - 2021-06-09 15:24

I allowed AES-GCM on WolfSSL now, but TLS1.3 will have to wait longer.
this is because the last version we currently use (4.6.0) has high severity vulnerability in TLSv1.3 support (CVE-2021-3336) , and 4.7 was not compilable , when we tried to use it.

Vladislav Vaintroub added a comment - 2021-06-09 15:24 I allowed AES-GCM on WolfSSL now, but TLS1.3 will have to wait longer. this is because the last version we currently use (4.6.0) has high severity vulnerability in TLSv1.3 support (CVE-2021-3336) , and 4.7 was not compilable , when we tried to use it.

People

Assignee:: Vladislav Vaintroub

Reporter:: Bohan Yang

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2020-04-11 15:05

Updated:: 2021-07-21 20:57

Resolved:: 2021-07-21 20:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server