[MDEV-25798] Windows SChannel clients fail to connect to OpenSSL servers with "No cipher match" Created: 2021-05-27  Updated: 2021-09-23  Resolved: 2021-09-23

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients, SSL
Affects Version/s: 10.5.10
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Hartmut Holzgraefe Assignee: Sergei Golubchik
Resolution: Duplicate Votes: 0
Labels: client, ssl, tls

Attachments: File windows2linux.pcapng    
Issue Links:
Duplicate
is duplicated by CONC-527 Connect error "SEC_E_ALGORITHM_MISMAT... Closed
Issue split
split from MDEV-25701 Two-way TLS does not work with WolfSS... Confirmed

 Description   

This was originally reported as part of MDEV-25701 and now split out into a separate ticket.

When trying to connect from the Windows command line client to an OpenSSL based server the connection attempt fails with:

C:\Users\User\Desktop>mysql -u secure -psecret -h 192.168.23.15 --ssl --ssl-ca=\ssl\ca-cert.pem --ssl-cert=\ssl\client-cert.pem --ssl-key=\ssl\client-key.pem
 
ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)

So far I could only reproduce this with two-way TLS, but there is at least one user report about getting the same error with one-way TLS with no explicit client certificate.

My test setup:

  • Windows10 with MariaDB 10.5.10 installed from 64bit MSI package
  • Linux Server running Ubuntu 20.04 "focal", and mysql-server package installed from our own package repositories, so using OpenSSL
  • certificate files taken from our test suite (cacert, server-cert, client-cert from mysql-test/std-data directory)

 Comments   
Comment by Vladislav Vaintroub [ 2021-06-01 ]

This is exact duplicate of CONC-527

Comment by Julien Fritsch [ 2021-09-23 ]

Duplicate CONC-527

Generated at Thu Feb 08 09:40:29 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.