Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29912

Can't establish a TLS connection with OpenSSL 3.0 to a Server with Yassl

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 10.3.36
    • Fix Version/s: N/A
    • Component/s: Documentation, SSL
    • Labels:
      None

      Description

      It's not possible to connect to a server running with Yassl, if client was built with OpenSSL 3.0:

      1st attempt:

      /openssl s_client -CAfile /home/georg/work/mariadb/mariadb_server/mysql-test/std_data/cacert.pem  --starttls  mysql 127.0.0.1:16000 
      CONNECTED(00000003)
      40278628A47F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:879
      

      2nd attempt: (Allow Unsafe legacy renegotiation)
      openssl.cnf:

      openssl_conf = openssl_init
      [openssl_init]
      ssl_conf = ssl_sect
      [ssl_sect]
      system_default = system_default_sect
       
      [system_default_sect]
      Options = UnsafeLegacyRenegotiation
      

      Output of openssl s_client (OpenSSL 3.0):

      ...
      SSL handshake has read 2154 bytes and written 340 bytes
      Verification: OK
      ---
      New, (NONE), Cipher is (NONE)
      Server public key is 2048 bit
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
          Protocol  : TLSv1.1
          Cipher    : 0000
          Session-ID: 58848BE787B02D76DD0F049B5E4AA0FB520B70C604815C6D15BD0417C6D56DD6
          Session-ID-ctx: 
          Master-Key: 
          PSK identity: None
          PSK identity hint: None
          SRP username: None
          Start Time: 1667068981
          Timeout   : 7200 (sec)
          Verify return code: 0 (ok)
          Extended master secret: no
      

      Output from OpenSSL 1.1.1:

      ....
      SSL handshake has read 2252 bytes and written 683 bytes
      Verification: OK
      ---
      New, SSLv3, Cipher is DHE-RSA-AES256-SHA
      Server public key is 2048 bit
      Secure Renegotiation IS NOT supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
          Protocol  : TLSv1.1
          Cipher    : DHE-RSA-AES256-SHA
          Session-ID: DAFB047628885111F7B1B7AEEBB2B27932E8F9972A570C1F6684B4D0BCBE157F
          Session-ID-ctx: 
          Master-Key: 009F0C4382CE0131BCA6939192001E70265DE4CD3D86EB6E884E568DBE7608F8259694581623712078B67E61E5A7C594
          PSK identity: None
          PSK identity hint: None
          SRP username: None
          Start Time: 1667069147
          Timeout   : 7200 (sec)
          Verify return code: 0 (ok)
          Extended master secret: no
      

        Attachments

          Activity

            People

            Assignee:
            georg Georg Richter
            Reporter:
            georg Georg Richter
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.