[CONC-398] IANA cipher names are not accepted with Schannel Created: 2019-03-24 Updated: 2019-03-25 |
|
| Status: | Open |
| Project: | MariaDB Connector/C |
| Component/s: | None |
| Affects Version/s: | 3.0.8 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Minor |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Georg Richter |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||
| Description |
|
In Microsoft's Schannel documentation, TLS ciphers are listed with their IANA names: https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-10-v1809 The MariaDB Connector/C code stores these IANA names as the iana_name C-string in the cipher_map[] array that is used to map cipher strings to specific ALG_ID values: However, the set_cipher function ignores the iana_name C-string when parsing ssl-cipher/MYSQL_OPT_SSL_CIPHER. It only looks at the openssl_name C-string: Should we change MariaDB Connector/C to allow the IANA names of ciphers in ssl-cipher/MYSQL_OPT_SSL_CIPHER when using Schannel, if the names are already stored in the cipher_map[] array? |
| Comments |
| Comment by Georg Richter [ 2019-03-25 ] |
|
Currently we map all cipher suite names to OpenSSL cipher suite names (Schannel and GnuTLS). Windows Schannel API doesn't provide any cipher suite names, but a set of algorithms for cipher suites (exchange, encryption, hash and signature). Usually cipher suites should be specified only to prevent use of a malicious cipher suite, otherwise server and client will agree during handshake on a preferred cipher suite. If client and server support TLSv1.3 connection will fail if a cipher suite was specified, since cipher suites supported in TLS versions < 1.3 are not supported anymore. TLSv1.3 cipher suites have a different api (at least in OpenSSL) and are currently not supported in MariaDB Server and Connector/C. |