Details

    Description

      Support for TLS protocols may well be there, but it is not documented; if present, it has no options to control it.

      Currently MariaDB claims to support SSLv3. We would like to move away from SSLv3 due to the POODLE vulnerability.

      In testing, MariaDB client/server currently cannot connect using any of the TLS protocols. Testing was performed on MariaDB 5.5.32-1 on CentOS 6.x x86_64, compiled against OpenSSL.

      We used the technique of trying ciphers that are not supported in SSLv2 or SSLv3, which leaves the TLS 1.x ciphers - http://www.percona.com/blog/2014/10/15/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566/ . All connections failed with "ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)".

      Ideally, MariaDB should have...

      • a configuration value to disable SSLv2/v3
      • a clear statement of which TLS protocol variants are known to work (perhaps qualified by SSL library used – with yaSSL, with OpenSSL...)

      thank you!

      Attachments

        Issue Links

          Activity

            thoger Tomas Hoger added a comment -

            If users should be able to disable specific TLS protocol versions, there will need to be a separate configuration option for that (similar to httpd's SSLProtocol or nginx's ssl_protocols). Cipher string in general can not do that. Examples:

            • In the past, you could use 'DEFAULT:!SSLv2' to practically disable SSLv2 and leave SSLv3 and TLSv1 enabled, because SSLv2 ciphers were noted used by SSLv3 or later.
            • However, the similar 'DEFAULT:!SSLv3' can not be used to disable SSLv3 and only enable TLSv1.0 and later.
            • Users may also ask for a way to disable TLSv1.0 and only enable 1.1 or later because of BEAST. The 'DEFAULT:!SSLv3' somewhat does the trick, but it only enables ciphers new in TLS 1.2.

            There may be a little immediate need now, but it seems to be the way to go long term.

            thoger Tomas Hoger added a comment - If users should be able to disable specific TLS protocol versions, there will need to be a separate configuration option for that (similar to httpd's SSLProtocol or nginx's ssl_protocols). Cipher string in general can not do that. Examples: In the past, you could use 'DEFAULT:!SSLv2' to practically disable SSLv2 and leave SSLv3 and TLSv1 enabled, because SSLv2 ciphers were noted used by SSLv3 or later. However, the similar 'DEFAULT:!SSLv3' can not be used to disable SSLv3 and only enable TLSv1.0 and later. Users may also ask for a way to disable TLSv1.0 and only enable 1.1 or later because of BEAST. The 'DEFAULT:!SSLv3' somewhat does the trick, but it only enables ciphers new in TLS 1.2. There may be a little immediate need now, but it seems to be the way to go long term.
            thoger Tomas Hoger added a comment -

            A simple test program that attempts to establish TLS connection with MySQL / MariaDB and prints TLS session information similar to what's printed by openssl s_client.

            thoger Tomas Hoger added a comment - A simple test program that attempts to establish TLS connection with MySQL / MariaDB and prints TLS session information similar to what's printed by openssl s_client.
            thoger Tomas Hoger added a comment -

            For posterity, this commit now disables SSLv2 and SSLv3 as discussed above:

            http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4369

            Thank you!

            thoger Tomas Hoger added a comment - For posterity, this commit now disables SSLv2 and SSLv3 as discussed above: http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4369 Thank you!

            Related bug for Support for TLSv1.1 and TLSv1.2 in MySQL

            dveeden Daniël van Eeden added a comment - Related bug for Support for TLSv1.1 and TLSv1.2 in MySQL

            Micada may I ask why you added the link "This issue is blocked by MDEV-23604" to this already closed issue?

            julien.fritsch Julien Fritsch added a comment - Micada may I ask why you added the link "This issue is blocked by MDEV-23604 " to this already closed issue?

            People

              serg Sergei Golubchik
              martin.langhoff Martin Langhoff
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.