[MDEV-29811] server advertises ssl even if it's unusable - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.11, 10.7.7, 10.8.6, 10.9.4, 10.10.2, 10.11.1
Component/s: Server, SSL
Labels:
None

Description

if the server is started with --ssl but without properly configured certificates, it will advertise the ssl support in the handshake, but will not actually be able to use it. so a client with --ssl will fail to connect with the ssl error (e.g. "sslv3 alert handshake failure" in OpenSSL).

I think the server should not start if it was requested to use ssl, but it cannot actually do it.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

docker-compose.yml
0.6 kB
2023-01-19 17:28
config-file.cnf
1 kB
2023-01-19 17:27

Issue Links

causes

MDEV-30270 ssl_cipher on Non-SSL system results in confusing SSL error

Open

MDEV-30818 invalid ssl prevents bootstrap

Closed

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik created issue - 2022-10-17 12:53

Sergei Golubchik made changes - 2022-10-17 12:53

Field	Original Value	New Value
Description	if the server is started with {{--ssl}} but without properly configured certificates, it will advertise the ssl support in the handshake, but will not actually be able to use it. so a client with {{--ssl}} will fail to connect with the ssl error (e.g. "sslv3 alert handshake failure" in OpenSSL). I think the server should not start it it was requested to use ssl, but it cannot actually do it.	if the server is started with {{\-\-ssl}} but without properly configured certificates, it will advertise the ssl support in the handshake, but will not actually be able to use it. so a client with {{--ssl}} will fail to connect with the ssl error (e.g. "sslv3 alert handshake failure" in OpenSSL). I think the server should not start it it was requested to use ssl, but it cannot actually do it.

Sergei Golubchik made changes - 2022-10-17 12:54

Assignee

Oleksandr Byelkin [ sanja ]

Sergei Golubchik made changes - 2022-10-17 12:58

Affects Version/s		10.3 [ 22126 ]
Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]
Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.7 [ 24805 ]
Affects Version/s		10.8 [ 26121 ]
Affects Version/s		10.9 [ 26905 ]
Affects Version/s		10.10 [ 27530 ]

Sergei Golubchik made changes - 2022-10-17 12:58

Fix Version/s		10.2 [ 14601 ]
Fix Version/s		10.3 [ 22126 ]
Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.6 [ 24028 ]
Fix Version/s		10.7 [ 24805 ]
Fix Version/s		10.8 [ 26121 ]
Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]

Vladislav Vaintroub made changes - 2022-10-21 09:38

Assignee

Oleksandr Byelkin [ sanja ]

Vladislav Vaintroub [ wlad ]

Sergei Golubchik made changes - 2022-10-21 19:51

Description

if the server is started with {{\-\-ssl}} but without properly configured certificates, it will advertise the ssl support in the handshake, but will not actually be able to use it. so a client with {{--ssl}} will fail to connect with the ssl error (e.g. "sslv3 alert handshake failure" in OpenSSL).

I think the server should not start it it was requested to use ssl, but it cannot actually do it.

if the server is started with {{\-\-ssl}} but without properly configured certificates, it will advertise the ssl support in the handshake, but will not actually be able to use it. so a client with {{--ssl}} will fail to connect with the ssl error (e.g. "sslv3 alert handshake failure" in OpenSSL).

I think the server should not start if it was requested to use ssl, but it cannot actually do it.

Vladislav Vaintroub made changes - 2022-10-24 09:23

Status

Open [ 1 ]

Confirmed [ 10101 ]

Vladislav Vaintroub made changes - 2022-10-24 09:24

Assignee	Vladislav Vaintroub [ wlad ]	Oleksandr Byelkin [ sanja ]
Status	Confirmed [ 10101 ]	In Review [ 10002 ]

Oleksandr Byelkin made changes - 2022-10-25 07:17

Assignee

Oleksandr Byelkin [ sanja ]

Vladislav Vaintroub [ wlad ]

Vladislav Vaintroub made changes - 2022-10-25 10:38

Assignee

Vladislav Vaintroub [ wlad ]

Oleksandr Byelkin [ sanja ]

Oleksandr Byelkin made changes - 2022-10-25 11:14

Assignee	Oleksandr Byelkin [ sanja ]	Vladislav Vaintroub [ wlad ]
Status	In Review [ 10002 ]	Stalled [ 10000 ]

Vladislav Vaintroub made changes - 2022-10-25 11:40

Component/s		Server [ 13907 ]
Fix Version/s		10.3.37 [ 28404 ]
Fix Version/s		10.4.27 [ 28405 ]
Fix Version/s		10.5.18 [ 28421 ]
Fix Version/s		10.6.11 [ 28441 ]
Fix Version/s		10.7.7 [ 28442 ]
Fix Version/s		10.8.6 [ 28443 ]
Fix Version/s		10.9.4 [ 28444 ]
Fix Version/s		10.10.2 [ 28410 ]
Fix Version/s		10.11.1 [ 28454 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.6 [ 24028 ]
Fix Version/s	10.7 [ 24805 ]
Fix Version/s	10.8 [ 26121 ]
Fix Version/s	10.9 [ 26905 ]
Fix Version/s	10.10 [ 27530 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Alvar Penning made changes - 2022-12-21 12:54

Link

This issue causes MDEV-30270 [ MDEV-30270 ]

Ulf Hofemeier made changes - 2023-01-19 17:27

Attachment

config-file.cnf [ 67866 ]

Ulf Hofemeier made changes - 2023-01-19 17:28

Attachment

docker-compose.yml [ 67867 ]

Sergei Golubchik made changes - 2023-03-09 10:21

Link

This issue causes ~~MDEV-30818~~ [ ~~MDEV-30818~~ ]

People

Assignee:: Vladislav Vaintroub

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2022-10-17 12:53

Updated:: 2025-03-13 11:40

Resolved:: 2022-10-25 11:40

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration