Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35580

Server using WolfSSL shows different name than OpenSSL for some ciphers

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 10.6.20, 11.4.4
    • 10.6, 11.4
    • SSL
    • None

    Description

      When connecting to a server linked against OpenSSL TLS v1.3 specific ciphers have their name start with just TLS_, e.g.: TLS_AES_128_GCM_SHA256 for cipher ID 0x1301.

      When the server is linked against WolfSSL it shows a TLS13_ prefix and slightly different formatting, e.g. TLS13-AES128-GCM-SHA256

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          serg Sergei Golubchik added a comment - - edited

          I think it's a WolfSSL bug. WolfSSL has its own "cipher name" and "IANA cipher name" (matches OpenSSL name). It has wolfSSL_get_cipher_name() function that returns WolfSSL name and wolfSSL_get_cipher_name_iana() which returns IANA name. And it has OpenSSL compatibility header openssl/ssl.h which defines

          #define SSL_get_cipher                  wolfSSL_get_cipher_name

          I think it's wrong, OpenSSL compatible function should return OpenSSL compatible cipher names, that is SSL_get_cipher should be mapped to wolfSSL_get_cipher (which uses GetCipherNameIana internally)

          serg Sergei Golubchik added a comment - - edited I think it's a WolfSSL bug. WolfSSL has its own "cipher name" and "IANA cipher name" (matches OpenSSL name). It has wolfSSL_get_cipher_name() function that returns WolfSSL name and wolfSSL_get_cipher_name_iana() which returns IANA name. And it has OpenSSL compatibility header openssl/ssl.h which defines #define SSL_get_cipher wolfSSL_get_cipher_name I think it's wrong, OpenSSL compatible function should return OpenSSL compatible cipher names, that is SSL_get_cipher should be mapped to wolfSSL_get_cipher (which uses GetCipherNameIana internally)
          serg Sergei Golubchik added a comment -

          Nope, IANA names aren't OpenSSL names. E.g. both OpenSSL and wolfSSL_get_cipher_name() return AES256-SHA, but wolfSSL_get_cipher() — IANA name — is TLS_RSA_WITH_AES_256_CBC_SHA.

          serg Sergei Golubchik added a comment - Nope, IANA names aren't OpenSSL names. E.g. both OpenSSL and wolfSSL_get_cipher_name() return AES256-SHA , but wolfSSL_get_cipher() — IANA name — is TLS_RSA_WITH_AES_256_CBC_SHA .

          People

            serg Sergei Golubchik
            hholzgra Hartmut Holzgraefe
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.