Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-7695

MariaDB - ssl - fips: can not connect with --ssl-cipher=DHE-RSA-AES256-SHA - handshake failure

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.16
    • Fix Version/s: 5.5.44, 10.0.18
    • Component/s: SSL
    • Labels:
    • Environment:
      SLES-12, x86_64

      Description

      When FIPS is enabled can not connect with ssl-cipher=DHE-RSA-AES256-SHA

      ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

      Without fips connection is established:

      dhcp86:~ # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem
      Enter password: 
      Reading table information for completion of table and column names
      You can turn off this feature to get a quicker startup with -A
       
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4
      Server version: 10.0.16-MariaDB openSUSE package
       
      Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [test]> show status like "%ssl%";
      +--------------------------------+-------------------------------+
      | Variable_name                  | Value                         |
      +--------------------------------+-------------------------------+
      | Com_show_processlist           | 0                             |
      | Ssl_accept_renegotiates        | 0                             |
      | Ssl_accepts                    | 2                             |
      | Ssl_callback_cache_hits        | 0                             |
      | Ssl_cipher                     | DHE-RSA-AES256-SHA            |
      | Ssl_cipher_list                | DHE-RSA-AES256-SHA:AES128-SHA |
      | Ssl_client_connects            | 0                             |
      ....
      | Ssl_session_cache_timeouts     | 0                             |
      | Ssl_sessions_reused            | 0                             |
      | Ssl_used_session_cache_entries | 0                             |
      | Ssl_verify_depth               | 18446744073709551615          |
      | Ssl_verify_mode                | 5                             |
      | Ssl_version                    | TLSv1.2                       |
      +--------------------------------+-------------------------------+
      26 rows in set (0.00 sec)
       
      MariaDB [test]> exit
      Bye

      === FIPS=1 ===

      MariaDB [test]> show variables like '%ssl%';
      +---------------+----------------------------------+
      | Variable_name | Value                            |
      +---------------+----------------------------------+
      | have_openssl  | YES                              |
      | have_ssl      | YES                              |
      | ssl_ca        | /etc/mysql/certs/ca-cert.pem     |
      | ssl_capath    |                                  |
      | ssl_cert      | /etc/mysql/certs/server-cert.pem |
      | ssl_cipher    | DHE-RSA-AES256-SHA:AES128-SHA    |
      | ssl_crl       |                                  |
      | ssl_crlpath   |                                  |
      | ssl_key       | /etc/mysql/certs/server-key.pem  |
      +---------------+----------------------------------+
      9 rows in set (0.00 sec)
       
      MariaDB [test]> exit
      Bye

      dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem
      Enter password: 
      ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
       
      dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=AES128-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem
      Enter password: 
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4
      Server version: 10.0.16-MariaDB openSUSE package
       
      Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [test]> status;
      --------------
      mysql  Ver 15.1 Distrib 10.0.16-MariaDB, for Linux (x86_64) using readline 5.1
       
      Connection id:		13
      Current database:	test
      Current user:		ssluser@localhost
      SSL:			Cipher in use is AES128-SHA
      Current pager:		less
      Using outfile:		''
      Using delimiter:	;
      Server:			MariaDB
      Server version:		10.0.16-MariaDB openSUSE package
      Protocol version:	10
      Connection:		Localhost via UNIX socket
      Server characterset:	utf8
      Db     characterset:	utf8
      Client characterset:	utf8
      Conn.  characterset:	utf8
      UNIX socket:		/var/run/mysql/mysql.sock
      Uptime:			20 hours 49 min 21 sec
       
      Threads: 1  Questions: 34  Slow queries: 0  Opens: 0  Flush tables: 1  Open tables: 63  Queries per second avg: 0.000
      --------------
       
      MariaDB [test]> exit

      dhcp38:~/Documents/mariadb # openssl ciphers FIPS -v
      ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
      ...
      DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
      DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
      DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
      AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
      ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
      ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
      ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
      ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
      ....

      https://bugzilla.suse.com/show_bug.cgi?id=920865

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                nirbhay_c Nirbhay Choubey (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: