Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-23772

Automate SSL connection tests for MariaDB

Details

    Description

      There are various bugs open about TLS connection issues in Debian and Ubuntu:

      https://bugs.launchpad.net/ubuntu/+source/mariadb-10.3/+bug/1885632

      • MariaDB 10.3 as provided by Ubuntu.org is compiled against YaSSL version 2.4.4, which supports a maximum TLS version of 1.1. The Ubuntu 20.04 release has a minimum TLS 1.2 requirement, rendering all MariaDB TLS connections unusable.

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921151

      • appears that the Debian client is only attempting to negotiate a connection with TLSv1.1, which is blacklisted

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927289

      • Apparently YaSSL (now WolfSSL) did not support any other certificate format than PEM, and the error message is uninformative

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956401

      • Option --ssl-verify-server-cert did not work. Possibly because of MDEV-12190: YaSSL's highest supported version is TLSv1.1 (=3.2) - if the client requests a higher version, it needs to be downgraded in Server Hello packet to TLSv1.1 instead of interrupting the handshake and closing the connection.

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956810

      • libmariadb3 compiled libdbd-mysql failed to connect to MySQL server that required TLS

      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875457

      • clients could not connect using ssl (the error message was: ERROR 2026 (HY000): SSL connection error: protocol version mismatch)

      The biggest problem right now is that we don't know the status of these issues.

      We should extend the debian/salsa-ci.yml to do a simple TLS scenario and test the connection so we know if it even works in the most basic case.

      Attachments

        Issue Links

          Activity

            Very nice! Let me know when you have it in salsa ci, I am curious to see where you are going to insert it in the CI chain.
            Regarding wolfssl, there maybe interesting progress in https://github.com/wolfSSL/wolfssl/issues/3329

            faust Faustin Lammler added a comment - Very nice! Let me know when you have it in salsa ci, I am curious to see where you are going to insert it in the CI chain. Regarding wolfssl, there maybe interesting progress in https://github.com/wolfSSL/wolfssl/issues/3329
            otto Otto Kekäläinen added a comment - WIP at https://salsa.debian.org/mariadb-team/mariadb-10.5/-/compare/master...salsa-ci%2Ftls-1.3-testing
            otto Otto Kekäläinen added a comment - Implemented downstream on mariadb-10.5 master https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/23376b43714be4dbb53782b3ef1fa7b7eff24daf

            Great!

            faust Faustin Lammler added a comment - Great!
            otto Otto Kekäläinen added a comment - All of the mentioned issues are fixed in Debian in the 10.5 series thanks to using OpenSSL: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/ca2574aa88434d1c49456c677b7dcb904902daaf And tested in Salsa-CI since: https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/23376b43714be4dbb53782b3ef1fa7b7eff24daf And upstreamed in: https://github.com/MariaDB/server/commit/ecb1b8721ba645ccb839fc1b7605483b794be4e1

            People

              otto Otto Kekäläinen
              otto Otto Kekäläinen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.