Details
Major Description
When FIPS is enabled can not connect with ssl-cipher=DHE-RSA-AES256-SHA
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
|
Without fips connection is established:
dhcp86:~ # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem |
Enter password: |
Reading table information for completion of table and column names |
You can turn off this feature to get a quicker startup with -A |
|
Welcome to the MariaDB monitor. Commands end with ; or \g. |
Your MariaDB connection id is 4 |
Server version: 10.0.16-MariaDB openSUSE package
|
|
Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others. |
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
|
MariaDB [test]> show status like "%ssl%"; |
+--------------------------------+-------------------------------+ |
| Variable_name | Value |
|
+--------------------------------+-------------------------------+ |
| Com_show_processlist | 0 |
|
| Ssl_accept_renegotiates | 0 |
|
| Ssl_accepts | 2 |
|
| Ssl_callback_cache_hits | 0 |
|
| Ssl_cipher | DHE-RSA-AES256-SHA |
|
| Ssl_cipher_list | DHE-RSA-AES256-SHA:AES128-SHA |
|
| Ssl_client_connects | 0 |
|
....
|
| Ssl_session_cache_timeouts | 0 |
|
| Ssl_sessions_reused | 0 |
|
| Ssl_used_session_cache_entries | 0 |
|
| Ssl_verify_depth | 18446744073709551615 |
|
| Ssl_verify_mode | 5 |
|
| Ssl_version | TLSv1.2 |
|
+--------------------------------+-------------------------------+ |
26 rows in set (0.00 sec) |
|
MariaDB [test]> exit
|
Bye
|
=== FIPS=1 ===
MariaDB [test]> show variables like '%ssl%'; |
+---------------+----------------------------------+ |
| Variable_name | Value |
|
+---------------+----------------------------------+ |
| have_openssl | YES |
|
| have_ssl | YES |
|
| ssl_ca | /etc/mysql/certs/ca-cert.pem |
|
| ssl_capath | |
|
| ssl_cert | /etc/mysql/certs/server-cert.pem |
|
| ssl_cipher | DHE-RSA-AES256-SHA:AES128-SHA |
|
| ssl_crl | |
|
| ssl_crlpath | |
|
| ssl_key | /etc/mysql/certs/server-key.pem | |
+---------------+----------------------------------+ |
9 rows in set (0.00 sec) |
|
MariaDB [test]> exit
|
Bye
|
dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem |
Enter password: |
ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure |
|
|
dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=AES128-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem |
Enter password: |
Welcome to the MariaDB monitor. Commands end with ; or \g. |
Your MariaDB connection id is 4 |
Server version: 10.0.16-MariaDB openSUSE package
|
|
Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others. |
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. |
|
MariaDB [test]> status;
|
--------------
|
mysql Ver 15.1 Distrib 10.0.16-MariaDB, for Linux (x86_64) using readline 5.1 |
|
|
Connection id: 13 |
Current database: test |
Current user: ssluser@localhost |
SSL: Cipher in use is AES128-SHA |
Current pager: less |
Using outfile: '' |
Using delimiter: ;
|
Server: MariaDB
|
Server version: 10.0.16-MariaDB openSUSE package
|
Protocol version: 10
|
Connection: Localhost via UNIX socket |
Server characterset: utf8
|
Db characterset: utf8
|
Client characterset: utf8
|
Conn. characterset: utf8
|
UNIX socket: /var/run/mysql/mysql.sock
|
Uptime: 20 hours 49 min 21 sec |
|
|
Threads: 1 Questions: 34 Slow queries: 0 Opens: 0 Flush tables: 1 Open tables: 63 Queries per second avg: 0.000 |
--------------
|
|
|
MariaDB [test]> exit
|
dhcp38:~/Documents/mariadb # openssl ciphers FIPS -v
|
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
|
...
|
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
|
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
|
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
|
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
|
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
|
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
|
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
|
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
|
....
|
Attachments
Issue Links
Activity
This should probably be backported to 5.x versions as well. Because of CVE-2015-4000 / LOGJAM, OpenSSL is getting changed to require at least 768bit DH parameters in its client code:
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
http://git.openssl.org/?p=openssl.git;a=commitdiff;h=6383038
If connection between client and server normally uses some DH cipher suite, and client's OpenSSL is patched with the above fix, subsequent SSL connection attempts will fail. Changing client's or server's cipher list using --ssl-cipher to disable DH ciphers can be used as a workaround.
MySQL and Percona bug reports:
http://bugs.mysql.com/bug.php?id=77275
https://bugs.launchpad.net/percona-server/+bug/1462856
In cases when a bug is reported to MySQL, we generally prefer to merge the bugfix when it's fixed upstream.
Or would you say it's something urgent that needs to be fixed ASAP?
I wanted to give you a heads-up. The OpenSSL fix is likely to start appearing in distributions soon, breaking database connections that currently work fine. Hence this problem will no longer be limited to users running in FIPS mode. We had this problem reported very soon after OpenSSL update was pushed to Red Hat Enterprise Linux. You may see user demand to have this fixed before the fix makes its way in via MySQL upstream.
Thanks. I guess I'll just backport 10.0 fix to 5.5 now. MariaDB-5.5.44 release is today and 5.5.45 is at least in two months.
It was pointed out in the upstream bug that the issue is already fixed in MySQL 5.7.6:
https://github.com/mysql/mysql-server/commit/866b988a76e8e7e217017a7883a52a12ec5024b9
https://github.com/MariaDB/server/commit/7e7dd8e8f4c1eb83e1ac4eddc4911139b5b0e0c7