[#MDEV-18019] Default test certificate key too small, incompatible with OpenSSL 1.1.0

[MDEV-18019] Default test certificate key too small, incompatible with OpenSSL 1.1.0 Created: 2018-12-16 Updated: 2021-04-11 Resolved: 2021-04-11
Status:	Closed
Project:	MariaDB Server
Component/s:	Packaging, Platform Debian, Tests
Affects Version/s:	None
Fix Version/s:	10.6.0

Type:

Bug

Priority:

Major

Reporter:

Otto Kekäläinen

Assignee:

Otto Kekäläinen

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Relates
relates to	MDEV-18135	binlog_encryption.encrypted_slave, ma...	Open

Description

After uploading MariaDB 10.3 to Debian experimental I noticed all builds were failing. One of the reasons was the inability of the mysqld process to serve any connections due to this:

SSL error: Unable to get certificate from '/tmp/build/source/mysql-test/std_data/server-cert.pem'

2018-12-16 15:56:57 0 [Warning] Failed to setup SSL

2018-12-16 15:56:57 0 [Warning] SSL error: Unable to get certificate

2018-12-16 15:56:57 0 [Warning] SSL error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small

2018-12-16 15:56:57 0 [Note] Server socket created on IP: '127.0.0.1'.

2018-12-16 15:56:57 0 [Note] Reading of all Master_info entries succeded

2018-12-16 15:56:57 0 [Note] Added new Master_info '' to hash table

2018-12-16 15:56:57 0 [Note] /tmp/build/source/builddir/sql/mysqld: ready for connections.

Version: '10.3.11-MariaDB-1~exp1-log'  socket: '/tmp/build/source/builddir/mysql-test/var/tmp/4/mysqld.1.sock'  port: 16060  Debian unstable

Reports online suggest that the new OpenSSL (available in Debian unstable) does not accept the small keysize in our test certificate. See https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html

Comments

Comment by Otto Kekäläinen [ 2018-12-16 ]

I have created a fix for this and it's now patched in Debian. I will upstream that patch soon.

Comment by Otto Kekäläinen [ 2018-12-18 ]

Fixed downstream in https://salsa.debian.org/mariadb-team/mariadb-10.3/commit/8da43c2e32b0730a3d813b1a637d72574205a16d - I plan to upstream this very soon once I have MariaDB 10.3 in Debian done.

Comment by Otto Kekäläinen [ 2019-03-30 ]

This was fixed by serg in https://github.com/mariadb/server/commit/9c60535f867678e65ade1258ca10b7d2ee2bdc53 but with only 2048 bit keys.

Comment by Otto Kekäläinen [ 2020-04-23 ]

Comment by Sergei Golubchik [ 2020-08-14 ]

otto, is this issue fixed? by that commit you've referenced above

Comment by Otto Kekäläinen [ 2021-04-11 ]

Merged https://github.com/MariaDB/server/pull/1505, min RSA key size is now 4096.

Generated at Thu Feb 08 08:40:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-18019] Default test certificate key too small, incompatible with OpenSSL 1.1.0 Created: 2018-12-16 Updated: 2021-04-11 Resolved: 2021-04-11