Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29912

Can't establish a TLS connection with OpenSSL 3.0 to a Server with Yassl

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.3.36
    • N/A
    • Documentation, SSL
    • None

    Description

      It's not possible to connect to a server running with Yassl, if client was built with OpenSSL 3.0:

      1st attempt:

      /openssl s_client -CAfile /home/georg/work/mariadb/mariadb_server/mysql-test/std_data/cacert.pem  --starttls  mysql 127.0.0.1:16000 
      CONNECTED(00000003)
      		 
      40278628A47F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:ssl/statem/extensions.c:879

      2nd attempt: (Allow Unsafe legacy renegotiation)
      openssl.cnf:

      openssl_conf = openssl_init
      		 
      [openssl_init]
      		 
      ssl_conf = ssl_sect
      		 
      [ssl_sect]
      		 
      system_default = system_default_sect
      		 
       
      		 
      [system_default_sect]
      		 
      Options = UnsafeLegacyRenegotiation

      Output of openssl s_client (OpenSSL 3.0):

      ...
      		 
      SSL handshake has read 2154 bytes and written 340 bytes
      		 
      Verification: OK
      		 
      ---
      		 
      New, (NONE), Cipher is (NONE)
      		 
      Server public key is 2048 bit
      		 
      Secure Renegotiation IS NOT supported
      		 
      Compression: NONE
      		 
      Expansion: NONE
      		 
      No ALPN negotiated
      		 
      SSL-Session:
      		 
          Protocol  : TLSv1.1
      		 
          Cipher    : 0000
      		 
          Session-ID: 58848BE787B02D76DD0F049B5E4AA0FB520B70C604815C6D15BD0417C6D56DD6
      		 
          Session-ID-ctx: 
          Master-Key: 
          PSK identity: None
      		 
          PSK identity hint: None
      		 
          SRP username: None
      		 
          Start Time: 1667068981
      		 
          Timeout   : 7200 (sec)
      		 
          Verify return code: 0 (ok)
      		 
          Extended master secret: no

      Output from OpenSSL 1.1.1:

      ....
      		 
      SSL handshake has read 2252 bytes and written 683 bytes
      		 
      Verification: OK
      		 
      ---
      		 
      New, SSLv3, Cipher is DHE-RSA-AES256-SHA
      		 
      Server public key is 2048 bit
      		 
      Secure Renegotiation IS NOT supported
      		 
      Compression: NONE
      		 
      Expansion: NONE
      		 
      No ALPN negotiated
      		 
      SSL-Session:
      		 
          Protocol  : TLSv1.1
      		 
          Cipher    : DHE-RSA-AES256-SHA
      		 
          Session-ID: DAFB047628885111F7B1B7AEEBB2B27932E8F9972A570C1F6684B4D0BCBE157F
      		 
          Session-ID-ctx: 
          Master-Key: 009F0C4382CE0131BCA6939192001E70265DE4CD3D86EB6E884E568DBE7608F8259694581623712078B67E61E5A7C594
      		 
          PSK identity: None
      		 
          PSK identity hint: None
      		 
          SRP username: None
      		 
          Start Time: 1667069147
      		 
          Timeout   : 7200 (sec)
      		 
          Verify return code: 0 (ok)
      		 
          Extended master secret: no

      Attachments

        Activity

          People

            georg Georg Richter
            georg Georg Richter
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.