Details
Major Description
When FIPS is enabled can not connect with ssl-cipher=DHE-RSA-AES256-SHA
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
|
Without fips connection is established:
dhcp86:~ # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem |
Enter password: |
Reading table information for completion of table and column names |
You can turn off this feature to get a quicker startup with -A |
|
Welcome to the MariaDB monitor. Commands end with ; or \g. |
Your MariaDB connection id is 4 |
Server version: 10.0.16-MariaDB openSUSE package
|
|
Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others. |
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
|
MariaDB [test]> show status like "%ssl%"; |
+--------------------------------+-------------------------------+ |
| Variable_name | Value |
|
+--------------------------------+-------------------------------+ |
| Com_show_processlist | 0 |
|
| Ssl_accept_renegotiates | 0 |
|
| Ssl_accepts | 2 |
|
| Ssl_callback_cache_hits | 0 |
|
| Ssl_cipher | DHE-RSA-AES256-SHA |
|
| Ssl_cipher_list | DHE-RSA-AES256-SHA:AES128-SHA |
|
| Ssl_client_connects | 0 |
|
....
|
| Ssl_session_cache_timeouts | 0 |
|
| Ssl_sessions_reused | 0 |
|
| Ssl_used_session_cache_entries | 0 |
|
| Ssl_verify_depth | 18446744073709551615 |
|
| Ssl_verify_mode | 5 |
|
| Ssl_version | TLSv1.2 |
|
+--------------------------------+-------------------------------+ |
26 rows in set (0.00 sec) |
|
MariaDB [test]> exit
|
Bye
|
=== FIPS=1 ===
MariaDB [test]> show variables like '%ssl%'; |
+---------------+----------------------------------+ |
| Variable_name | Value |
|
+---------------+----------------------------------+ |
| have_openssl | YES |
|
| have_ssl | YES |
|
| ssl_ca | /etc/mysql/certs/ca-cert.pem |
|
| ssl_capath | |
|
| ssl_cert | /etc/mysql/certs/server-cert.pem |
|
| ssl_cipher | DHE-RSA-AES256-SHA:AES128-SHA |
|
| ssl_crl | |
|
| ssl_crlpath | |
|
| ssl_key | /etc/mysql/certs/server-key.pem | |
+---------------+----------------------------------+ |
9 rows in set (0.00 sec) |
|
MariaDB [test]> exit
|
Bye
|
dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem |
Enter password: |
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
|
|
dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=AES128-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem |
Enter password: |
Welcome to the MariaDB monitor. Commands end with ; or \g. |
Your MariaDB connection id is 4 |
Server version: 10.0.16-MariaDB openSUSE package
|
|
Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others. |
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
|
MariaDB [test]> status;
|
--------------
|
mysql Ver 15.1 Distrib 10.0.16-MariaDB, for Linux (x86_64) using readline 5.1 |
|
|
Connection id: 13 |
Current database: test |
Current user: ssluser@localhost |
SSL: Cipher in use is AES128-SHA |
Current pager: less |
Using outfile: '' |
Using delimiter: ;
|
Server: MariaDB
|
Server version: 10.0.16-MariaDB openSUSE package
|
Protocol version: 10
|
Connection: Localhost via UNIX socket |
Server characterset: utf8
|
Db characterset: utf8
|
Client characterset: utf8
|
Conn. characterset: utf8
|
UNIX socket: /var/run/mysql/mysql.sock
|
Uptime: 20 hours 49 min 21 sec |
|
|
Threads: 1 Questions: 34 Slow queries: 0 Opens: 0 Flush tables: 1 Open tables: 63 Queries per second avg: 0.000 |
--------------
|
|
|
MariaDB [test]> exit
|
dhcp38:~/Documents/mariadb # openssl ciphers FIPS -v
|
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
|
...
|
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
|
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
|
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
|
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
|
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
|
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
|
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
|
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
|
....
|