Details
-
Task
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
Description
I generated certificates according to the instructions in the KnowledgeBase:
https://mariadb.com/kb/en/certificate-creation-with-openssl/
I created a ca-cert, a server and a client certificate
and set up the server using:
[mysqld]
|
bind-address=0.0.0.0
|
ssl
|
ssl-ca=/etc/mysql/ssl/ca-cert.pem
|
ssl-cert=/etc/mysql/ssl/server-cert.pem
|
ssl-key=/etc/mysql/ssl/server-key.pem
|
In the following snippets 192.168.23.15 is my linux server, 192.168.23.66 a Windows10 machine. The database user name I use is "secure".
I can connect from linux clients using the client certificate just fine, e.g.:
mysql -h 192.168.23.15 -p -u secure --ssl-ca=ssl/ca-cert.pem --ssl-key=ssl/client-key.pem --ssl-cert=ssl/client-cert.pem
|
Enter password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
...
|
and I can verify that encryption is indeed used:
Trying to connect from the Windows machine I can't connect though:
mysql -u secure -p -h 192.168.23.15 --ssl-ca=\ssl\ca-cert.pem --ssl-key=\ssl\client-key.pem --ssl-cert=\ssl\client-cert.pem
|
Enter password: ******
|
ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)
|
I CAN connect from windows to linux using encryption when just giving the --ssl option without explicit client certificate:
~ > mysql -h 192.168.23.66 -p -u secure --ssl
|
Enter password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 7
|
Server version: 10.5.10-MariaDB mariadb.org binary distribution
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
(none) 10.5.10-MariaDB
|
> show status like 'ssl_version';
|
+---------------+---------+
|
| Variable_name | Value |
|
+---------------+---------+
|
| Ssl_version | TLSv1.2 |
|
+---------------+---------+
|
1 row in set (0.006 sec)
|
|
|
(none) 10.5.10-MariaDB
|
> show status like 'ssl_cipher';
|
+---------------+--------------------+
|
| Variable_name | Value |
|
+---------------+--------------------+
|
| Ssl_cipher | DHE-RSA-AES256-SHA |
|
+---------------+--------------------+
|
1 row in set (0.016 sec)
|
When setting up MariaDB server on the windows size with the same server certificate as on Linux, and trying to connect locally using the client certificate I'm getting:
C:\Program Files\MariaDB 10.5\data>mysql -h 192.168.23.66 -u secure -p --ssl --ssl-ca=\ssl\ca-cert.pem --ssl-key=\ssl\client-key.pem --ssl-cert=\ssl\client-cert.pem
|
Enter password: ******
|
ERROR 2026 (HY000): SSL connection error: An unknown error occurred while processing the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN)
|
And when trying to connect to that windows server from linux (only server IP changed from .15 to .66 after verifying that things work locally):
~ > mysql -h 192.168.23.66 -p -u secure --ssl-ca=/etc/mysql/ssl/ca-cert.pem --ssl-key=/etc/mysql/ssl/client-key.pem --ssl-cert=/etc/mysql/ssl/client-cert.pem --Enter password:
|
ERROR 2026 (HY000): SSL connection error: sslv3 alert bad certificate
|
Again, when just using the --ssl option without explicit client certificate the connection is established using TLS v1.2 just fine.
Also when using MySQL 5.7 on the windows side, which uses OpenSSL instead of WolfSSL, things work just fine both ways with explicit client certificate.
So there seems to be some problem with WolfSSL and certificate verification, at least when the certificates were created using OpenSSL as described in our knowledge base.
Attachments
Issue Links
- relates to
-
CONC-538 Can't connect via SSL
-
- Open
-
-
-
- Closed
-
- split to
-
-
- Closed
-
- mentioned in
-
Page Failed to load
Activity
So the "no matching cipher" problem is specific to SChannel based clients on Windows, it is reproducible with both v1 and v3 certificates. Splitting that out to a new MDEV soon ...
I now changed the ticket title to refer to the WolfSSL / certificate version problem only.
Hi, I did some research and was able to generate V3 certificates with:
openssl x509 -req -days 365000 -set_serial 1 -CA ca_cert.pem -CAkey ca_key.pem -in "server_req.pem" -out "server_cert.pem" -extfile /etc/ssl/openssl.cnf -extensions usr_cert
It's very similar to the command in the original documentation. Please try if it fixes the issue, it would be great if the documentation could be updated and this issue finally resolved.
When setting up SSL for my database, I found a few more things I think could improve the documentation, for ex.:
- It might be a good idea to start recommending something better than 2048-bit RSA, I ended up using Ed25519 based on recommendations from security experts and performance-wise it's very close
- I found that the documentation step to remove the passphrase from server certificate is redundant, because the previous step already used "-nodes" so there's no passphrase to begin with
- I found it difficult to understand what the commands actually did, it would be great if the documentation could provide guidance on how to fill out the certificate subject, serial numbers, etc.
Let me know if there's interest in opening a new discussion about these things. I ended up writing a blog post that addresses all the issues I found, but I'd be happy to contribute my findings to the official documentation to make setting up SSL easier for others.
hholzgra, can you upload certiicates that demonstrate "no matching cipher" only, and have anything else fixed?