[MDEV-26015] Remove DH param stuff Created: 2021-06-24  Updated: 2023-11-08

Status: In Review
Project: MariaDB Server
Component/s: SSL
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1, 11.2

Type: Bug Priority: Major
Reporter: Georg Richter Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
PartOf
is part of MDEV-25785 Add support for OpenSSL 3.0 Closed

 Description   

The size of DH (Diffie Hellmann) group parameter in MariaDB Server cannot be changed, since it uses a fixed size of 2048.

Citing OpenSSL Wiki:
"Your Diffie-Hellman group parameters should match the key size used in the server's certificate. If you use a 2048-bit RSA prime in the server's certificate, then use a 2048-bit Diffie-Hellman group for key agreement."

Citing manpage for SSL_CTX_set_tmp_dh

"Applications may supply their own DH parameters instead of using the built-in values.
This approach is discouraged and applications should in preference use the built-in parameter support described above.
....
If "auto" DH parameters are switched on then the parameters will be selected to be consistent with the size of the key associated with the server's certificate.”

So easiest solution would be to use SSL_CTX_set_auto_dh() instead.

Please also note that the current code for DH params doesn't work with OSSL3 anymore.

 Comments   
Comment by Georg Richter [ 2021-06-30 ]

Pull request: https://github.com/MariaDB/server/pull/1868

Comment by Sergei Golubchik [ 2021-06-30 ]

why is it 10.6 only? what's the risk?

Comment by Georg Richter [ 2021-06-30 ]

You're right - could go into oldest supported version and merged.

Comment by Vladislav Vaintroub [ 2021-06-30 ]

georg, Please fix the test on Windows, before it can be reviewed.
https://ci.appveyor.com/project/rasmushoj/server/builds/39807765

CURRENT_TEST: main.MDEV-26015
 
mysqltest: At line 10: exec of 'C:\projects\server\win_build\client\RelWithDebInfo\mysql.exe --defaults-file=C:/projects/server/win_build/mysql-test/var/4/my.cnf -uroot --ssl-cipher=DHE-RSA-AES128-SHA256 --tls_version=TLSv1.2 -e"show status like 'ssl_cipher'" 2>&1' failed, error: 1, status: 1, errno: 2
 
Output from before failure:
 
ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)

Comment by Georg Richter [ 2021-09-22 ]

Not possible to get it work with WolfSSL or Yassl.

Comment by Sergei Golubchik [ 2023-11-08 ]

reopened. couldn't find the commit pushed anywhere, perhaps it was closed by mistake?

Generated at Thu Feb 08 09:42:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.