[#CONC-393] TLSv1.2 ciphers are rejected on Windows with Schannel

[CONC-393] TLSv1.2 ciphers are rejected on Windows with Schannel Created: 2019-03-20 Updated: 2019-10-08 Resolved: 2019-06-04
Status:	Closed
Project:	MariaDB Connector/C
Component/s:	None
Affects Version/s:	3.0.8
Fix Version/s:	3.1.1

Type:

Bug

Priority:

Major

Reporter:

Geoff Montee (Inactive)

Assignee:

Vladislav Vaintroub

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Problem/Incident
causes	~~ODBC-230~~	SSLCIPHER doesn't seem to work on Win...	Closed
Relates
relates to	CONC-398	IANA cipher names are not accepted wi...	Open
relates to	CONC-403	Disable TLS v1.0	Open
relates to	~~CONC-412~~	Allow TLS1.2 in Schannel	Closed
relates to	~~MDEV-12190~~	YASSL isn't able to negotiate TLS ver...	Closed

Description

The following patch disabled the TLSv1.2 protocol for MariaDB Connector/C when using Schannel:

https://github.com/MariaDB/mariadb-connector-c/commit/ba22ae8c6dac89b5e3fa07511f508e8b3efcd8dd

With this change, if you set ssl_cipher to a TLSv1.2 cipher (e.g. AES256-GCM-SHA384) and if you try to connect to a server that supports TLSv1.2, then the connection will fail with an error like:

SSL connection error: no cipher match

This even happens if you set ssl_cipher to a TLSv1.2 cipher that also supports TLSv1.1 and TLSv1.0 (e.g. AES256-SHA).

However, for some reason, setting ssl_cipher to "TLSv1.2" allows the connection to succeed without any errors. I see that this string is treated specially here:

https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L316

This problem causes ~~ODBC-230~~.

Comments

Comment by Geoff Montee (Inactive) [ 2019-06-04 ]

This should be fixed after ~~CONC-412~~.

Generated at Thu Feb 08 03:04:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[CONC-393] TLSv1.2 ciphers are rejected on Windows with Schannel Created: 2019-03-20 Updated: 2019-10-08 Resolved: 2019-06-04