[CONC-296] Unexpected TLSv1.0 usage when TLSv1.2 is available Created: 2017-11-27  Updated: 2018-07-27  Resolved: 2018-07-27

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: 2.3.3
Fix Version/s: 2.3.6

Type: Bug Priority: Major
Reporter: markus makela Assignee: Georg Richter
Resolution: Fixed Votes: 1
Labels: None

Attachments: File dbnode1.20171127.1756.pcap    
Issue Links:
Relates
relates to MXS-1462 MaxScale erroneously connects to MySQ... Closed

 Description   

MaxScale uses Connector-C version 2.3.3 to connect to backend clusters. As described in MXS-1462, MaxScale successfully connects with TLSv1.2 whereas C/C uses TLSv1.0. This is not the expected result as the highest available encryption version should be used.

As is explained here, MaxScale and Connector-C use different ciphers to connect to the same server.

 Comments   
Comment by markus makela [ 2017-11-27 ]

PCPlease provide a tcpdump of the traffic between the MaxScale monitor and the backend server. We would need to see the handshake packet to understand what is going on.

Comment by Pak Chan [ 2017-11-27 ]

I've attached a tcpdump of the traffic between a MaxScale node on startup and one of the MariaDB backend servers. dbnode1.20171127.1756.pcap

I've included a database connection session (TCP stream 3, as viewed in Wireshark) as well to illustrate the difference in the handshake.

Comment by markus makela [ 2017-11-27 ]

PCWe've build MaxScale 2.1 with the latest Connector-C 2.3 code: http://max-tst-01.mariadb.com/ci-repository/2.1-connector-c-2.3/mariadb-maxscale/

Please try if this fixes the problem.

Comment by Pak Chan [ 2017-11-28 ]

Thanks Markus! That appears to have fixed the problem. I now have "ssl-cipher=AESGCM" set on the MariaDB backend servers and MaxScale is showing them as being up and available, and the connections are encrypted using TLSv1.2.

I don't suppose you have any idea when this is going to make it into the release build?

Comment by markus makela [ 2017-11-28 ]

Most likely it'll make it into the next 2.1 release.

Comment by Pak Chan [ 2017-11-28 ]

Thanks, I'll keep an eye out for it.

Generated at Thu Feb 08 03:04:18 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.