TestSslConnect.java
[MDEV-16581] MariaDB does not support SSL secure renegotiation Created: 2018-06-25 Updated: 2020-08-25 Resolved: 2018-07-01 |
|
| Status: | Closed |
| Project: | MariaDB Server |
| Component/s: | SSL |
| Affects Version/s: | 10.1.33 |
| Fix Version/s: | N/A |
| Type: | Bug | Priority: | Major |
| Reporter: | Geoff Montee (Inactive) | Assignee: | Unassigned |
| Resolution: | Not a Bug | Votes: | 1 |
| Labels: | upstream | ||
| Attachments: |
TestSslConnect.java
|
| Description |
|
This is related to the following upstream bug: https://bugs.mysql.com/bug.php?id=91415 RFC 5746 added "secure renegotiation" to SSL/TLS to fix a flaw in the original renegotiation protocol. https://tools.ietf.org/html/rfc5746 It does not appear that MariaDB supports this "secure renegotiation" extension. How to repeat: Install MariaDB 10.1.33 and configure it to use SSL. Download mariadb-java-client-2.2.2.jar. Build and run the Java test program that I will attach to this bug report. e.g.: export CLASSPATH="/home/ec2-user/mariadb-java-client-2.2.2.jar:." You should see output similar to the following: [ec2-user@ip-172-30-0-249 ~]$ java -Djavax.net.debug=ssl,handshake TestSslConnect | grep renegotiation |
| Comments |
| Comment by Geoff Montee (Inactive) [ 2018-06-25 ] |
|
After chatting about this with wlad and georg, it sounds like SSL secure renegotiation might be unnecessary for MySQL and MariaDB. |
| Comment by Vladislav Vaintroub [ 2018-07-01 ] |
|
It is not necessary, because neither server nor client can use info from new renegotiated certificate. |