Details
-
Bug
-
Status: In Review (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
-
None
Description
The size of DH (Diffie Hellmann) group parameter in MariaDB Server cannot be changed, since it uses a fixed size of 2048.
Citing OpenSSL Wiki:
"Your Diffie-Hellman group parameters should match the key size used in the server's certificate. If you use a 2048-bit RSA prime in the server's certificate, then use a 2048-bit Diffie-Hellman group for key agreement."
Citing manpage for SSL_CTX_set_tmp_dh
"Applications may supply their own DH parameters instead of using the built-in values.
This approach is discouraged and applications should in preference use the built-in parameter support described above.
....
If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate.”
So easiest solution would be to use SSL_CTX_set_auto_dh() instead.
Please also note that the current code for DH params doesn't work with OSSL3 anymore.
Attachments
Issue Links
- is part of
-
MDEV-25785 Add support for OpenSSL 3.0
-
- Closed
-
Activity
georg, Please fix the test on Windows, before it can be reviewed.
https://ci.appveyor.com/project/rasmushoj/server/builds/39807765
CURRENT_TEST: main.MDEV-26015
|
mysqltest: At line 10: exec of 'C:\projects\server\win_build\client\RelWithDebInfo\mysql.exe --defaults-file=C:/projects/server/win_build/mysql-test/var/4/my.cnf -uroot --ssl-cipher=DHE-RSA-AES128-SHA256 --tls_version=TLSv1.2 -e"show status like 'ssl_cipher'" 2>&1' failed, error: 1, status: 1, errno: 2
|
Output from before failure:
|
ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)
|
reopened. couldn't find the commit pushed anywhere, perhaps it was closed by mistake?
for the reference: https://github.com/MariaDB/server/commit/9df098cf885ae16fa092aefc724b49b9a1f85f04
Pull request: https://github.com/MariaDB/server/pull/1868