Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26399

Client may use different SSL/TLS cipher than the one requested with --ssl-cipher when using TLSv1.3

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Won't Fix
    • 10.5.12
    • N/A
    • SSL
    • None
    • Ubuntu 20.04, OpenSSL

    Description

      The documentation suggests that when requesting a specific cipher to be used with

      mysql ... --ssl-cipher=...
      

      the connection will either use one of the explicitly listed ciphers, or fail.

      When the client tries to connect using TLSv1.3 it always adds the following three ciphers to the cipher list in its TLS "Client Hello" packet though:

      • TLS_AES_256_GCM_SHA384
      • TLS_CHACHA20_POLY1305_SHA256
      • TLS_AES_128_GCM_SHA256

      and the server picks TLS_AES_256_GCM_SHA384 as the next best option if the originally requested cipher is not supported by it.

      So client and server use a totally different cipher than the one explicitly requested without failing, or otherwise complaining about this at all.

      As far as I remember this auto-adding of the three extra ciphers may actually be documented, or even required, TLSv1.3 behavior, but I can't find right now where I have read about this.

      If this is the case we may only need to change the documentation to say that in case of TLSv1.3 a different cipher may be chosen instead of failing when the requested cipher is not available.

      Otherwise, as the actual addition of extra ciphers seems to be done by OpenSSL, not our client code, the client should explicitly check whether the cipher being used matches the one, or one of those, requested with --ssl-cipher, and terminate the connection with an error message if this is not the case even when an encrypted connection could be established.

      Attachments

        Activity

          People

            serg Sergei Golubchik
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.