Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25701

Two-way TLS does not work with WolfSSL and version1 certificates

Details

    Description

      I generated certificates according to the instructions in the KnowledgeBase:

      https://mariadb.com/kb/en/certificate-creation-with-openssl/

      I created a ca-cert, a server and a client certificate

      and set up the server using:

      [mysqld]
      		 
      bind-address=0.0.0.0
      		 
      ssl
      		 
      ssl-ca=/etc/mysql/ssl/ca-cert.pem
      		 
      ssl-cert=/etc/mysql/ssl/server-cert.pem
      		 
      ssl-key=/etc/mysql/ssl/server-key.pem

      In the following snippets 192.168.23.15 is my linux server, 192.168.23.66 a Windows10 machine. The database user name I use is "secure".

      I can connect from linux clients using the client certificate just fine, e.g.:

      mysql -h 192.168.23.15 -p -u secure --ssl-ca=ssl/ca-cert.pem --ssl-key=ssl/client-key.pem --ssl-cert=ssl/client-cert.pem
      		 
      Enter password: 
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      		 
      ...

      and I can verify that encryption is indeed used:

      Trying to connect from the Windows machine I can't connect though:

      mysql -u secure -p -h 192.168.23.15 --ssl-ca=\ssl\ca-cert.pem --ssl-key=\ssl\client-key.pem --ssl-cert=\ssl\client-cert.pem
      		 
      Enter password: ******
      		 
      ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)

      I CAN connect from windows to linux using encryption when just giving the --ssl option without explicit client certificate:

      ~ > mysql -h 192.168.23.66 -p -u secure --ssl
      		 
      Enter password: 
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      		 
      Your MariaDB connection id is 7
      		 
      Server version: 10.5.10-MariaDB mariadb.org binary distribution
      		 
       
      		 
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
      		 
       
      		 
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
      		 
       
      		 
      (none) 10.5.10-MariaDB
      		 
      > show status like 'ssl_version';
      		 
      +---------------+---------+
      		 
      | Variable_name | Value   |
      		 
      +---------------+---------+
      		 
      | Ssl_version   | TLSv1.2 |
      		 
      +---------------+---------+
      		 
      1 row in set (0.006 sec)
      		 
       
      		 
      (none) 10.5.10-MariaDB
      		 
      > show status like 'ssl_cipher';
      		 
      +---------------+--------------------+
      		 
      | Variable_name | Value              |
      		 
      +---------------+--------------------+
      		 
      | Ssl_cipher    | DHE-RSA-AES256-SHA |
      		 
      +---------------+--------------------+
      		 
      1 row in set (0.016 sec)

      When setting up MariaDB server on the windows size with the same server certificate as on Linux, and trying to connect locally using the client certificate I'm getting:

      C:\Program Files\MariaDB 10.5\data>mysql -h 192.168.23.66 -u secure -p --ssl --ssl-ca=\ssl\ca-cert.pem --ssl-key=\ssl\client-key.pem --ssl-cert=\ssl\client-cert.pem
      		 
      Enter password: ******
      		 
      ERROR 2026 (HY000): SSL connection error: An unknown error occurred while processing the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN)

      And when trying to connect to that windows server from linux (only server IP changed from .15 to .66 after verifying that things work locally):

      ~ > mysql -h 192.168.23.66 -p -u secure --ssl-ca=/etc/mysql/ssl/ca-cert.pem --ssl-key=/etc/mysql/ssl/client-key.pem --ssl-cert=/etc/mysql/ssl/client-cert.pem --Enter password: 
      ERROR 2026 (HY000): SSL connection error: sslv3 alert bad certificate

      Again, when just using the --ssl option without explicit client certificate the connection is established using TLS v1.2 just fine.

      Also when using MySQL 5.7 on the windows side, which uses OpenSSL instead of WolfSSL, things work just fine both ways with explicit client certificate.

      So there seems to be some problem with WolfSSL and certificate verification, at least when the certificates were created using OpenSSL as described in our knowledge base.

      Attachments

        1. certificates.tar.gz
          20 kB
        2. generate-certs-2.sh
          0.9 kB
        3. linux2windows.pcapng
          9 kB
        4. windows2linux.pcapng
          6 kB
        5. windows2windows.pcapng
          5 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONC-538 Can't connect via SSL

          • Major - Major loss of function.
          • Open

          Bug - A problem which impairs or prevents the functions of the product. MDEV-25799 tls_version=TLSv1.3 does not work with WolfSSL based server builds

          • Major - Major loss of function.
          • Closed
          split to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-25798 Windows SChannel clients fail to connect to OpenSSL servers with "No cipher match"

          • Major - Major loss of function.
          • Closed
          mentioned in

          Page Failed to load

          Activity

            People

              dbart Daniel Bartholomew
              hholzgra Hartmut Holzgraefe
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.