Details

    • Bug
    • Status: In Review (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
    • 10.5, 10.6, 10.11
    • SSL
    • None

    Description

      The size of DH (Diffie Hellmann) group parameter in MariaDB Server cannot be changed, since it uses a fixed size of 2048.

      Citing OpenSSL Wiki:
      "Your Diffie-Hellman group parameters should match the key size used in the server's certificate. If you use a 2048-bit RSA prime in the server's certificate, then use a 2048-bit Diffie-Hellman group for key agreement."

      Citing manpage for SSL_CTX_set_tmp_dh

      "Applications may supply their own DH parameters instead of using the built-in values.
      This approach is discouraged and applications should in preference use the built-in parameter support described above.
      ....
      If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate.”

      So easiest solution would be to use SSL_CTX_set_auto_dh() instead.

      Please also note that the current code for DH params doesn't work with OSSL3 anymore.

      Attachments

        Issue Links

          Activity

            georg Georg Richter added a comment - Pull request: https://github.com/MariaDB/server/pull/1868

            why is it 10.6 only? what's the risk?

            serg Sergei Golubchik added a comment - why is it 10.6 only? what's the risk?
            georg Georg Richter added a comment -

            You're right - could go into oldest supported version and merged.

            georg Georg Richter added a comment - You're right - could go into oldest supported version and merged.

            georg, Please fix the test on Windows, before it can be reviewed.
            https://ci.appveyor.com/project/rasmushoj/server/builds/39807765

            CURRENT_TEST: main.MDEV-26015
            mysqltest: At line 10: exec of 'C:\projects\server\win_build\client\RelWithDebInfo\mysql.exe --defaults-file=C:/projects/server/win_build/mysql-test/var/4/my.cnf -uroot --ssl-cipher=DHE-RSA-AES128-SHA256 --tls_version=TLSv1.2 -e"show status like 'ssl_cipher'" 2>&1' failed, error: 1, status: 1, errno: 2
            Output from before failure:
            ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)
            

            wlad Vladislav Vaintroub added a comment - georg , Please fix the test on Windows, before it can be reviewed. https://ci.appveyor.com/project/rasmushoj/server/builds/39807765 CURRENT_TEST: main.MDEV-26015 mysqltest: At line 10: exec of 'C:\projects\server\win_build\client\RelWithDebInfo\mysql.exe --defaults-file=C:/projects/server/win_build/mysql-test/var/4/my.cnf -uroot --ssl-cipher=DHE-RSA-AES128-SHA256 --tls_version=TLSv1.2 -e"show status like 'ssl_cipher'" 2>&1' failed, error: 1, status: 1, errno: 2 Output from before failure: ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)
            georg Georg Richter added a comment -

            Not possible to get it work with WolfSSL or Yassl.

            georg Georg Richter added a comment - Not possible to get it work with WolfSSL or Yassl.

            reopened. couldn't find the commit pushed anywhere, perhaps it was closed by mistake?

            serg Sergei Golubchik added a comment - reopened. couldn't find the commit pushed anywhere, perhaps it was closed by mistake?
            serg Sergei Golubchik added a comment - for the reference: https://github.com/MariaDB/server/commit/9df098cf885ae16fa092aefc724b49b9a1f85f04

            People

              serg Sergei Golubchik
              georg Georg Richter
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.