[#MDEV-7695] MariaDB - ssl - fips: can not connect with --ssl-cipher=DHE-RSA-AES256-SHA

When FIPS is enabled can not connect with ssl-cipher=DHE-RSA-AES256-SHA

ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Without fips connection is established:

dhcp86:~ # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem

Enter password:

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 4

Server version: 10.0.16-MariaDB openSUSE package

Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [test]> show status like "%ssl%";

+--------------------------------+-------------------------------+

| Variable_name                  | Value                         |

+--------------------------------+-------------------------------+

| Com_show_processlist           | 0                             |

| Ssl_accept_renegotiates        | 0                             |

| Ssl_accepts                    | 2                             |

| Ssl_callback_cache_hits        | 0                             |

| Ssl_cipher                     | DHE-RSA-AES256-SHA            |

| Ssl_cipher_list                | DHE-RSA-AES256-SHA:AES128-SHA |

| Ssl_client_connects            | 0                             |

....

| Ssl_session_cache_timeouts     | 0                             |

| Ssl_sessions_reused            | 0                             |

| Ssl_used_session_cache_entries | 0                             |

| Ssl_verify_depth               | 18446744073709551615          |

| Ssl_verify_mode                | 5                             |

| Ssl_version                    | TLSv1.2                       |

+--------------------------------+-------------------------------+

26 rows in set (0.00 sec)

MariaDB [test]> exit

Bye

=== FIPS=1 ===

MariaDB [test]> show variables like '%ssl%';

+---------------+----------------------------------+

| Variable_name | Value                            |

+---------------+----------------------------------+

| have_openssl  | YES                              |

| have_ssl      | YES                              |

| ssl_ca        | /etc/mysql/certs/ca-cert.pem     |

| ssl_capath    |                                  |

| ssl_cert      | /etc/mysql/certs/server-cert.pem |

| ssl_cipher    | DHE-RSA-AES256-SHA:AES128-SHA    |

| ssl_crl       |                                  |

| ssl_crlpath   |                                  |

| ssl_key       | /etc/mysql/certs/server-key.pem  |

+---------------+----------------------------------+

9 rows in set (0.00 sec)

MariaDB [test]> exit

Bye

dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=DHE-RSA-AES256-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem

Enter password:

ERROR 2026 (HY000): SSL connection error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

dhcp38:~/Documents/mariadb # mysql -u ssluser -p -D test --ssl-cipher=AES128-SHA --ssl-ca=/etc/mysql/certs/ca-cert.pem --ssl-cert=/etc/mysql/certs/client-cert.pem --ssl-key=/etc/mysql/certs/client-key.pem

Enter password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 4

Server version: 10.0.16-MariaDB openSUSE package

Copyright (c) 2000, 2014, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [test]> status;

--------------

mysql  Ver 15.1 Distrib 10.0.16-MariaDB, for Linux (x86_64) using readline 5.1

Connection id:		13

Current database:	test

Current user:		ssluser@localhost

SSL:			Cipher in use is AES128-SHA

Current pager:		less

Using outfile:		''

Using delimiter:	;

Server:			MariaDB

Server version:		10.0.16-MariaDB openSUSE package

Protocol version:	10

Connection:		Localhost via UNIX socket

Server characterset:	utf8

Db     characterset:	utf8

Client characterset:	utf8

Conn.  characterset:	utf8

UNIX socket:		/var/run/mysql/mysql.sock

Uptime:			20 hours 49 min 21 sec

Threads: 1  Questions: 34  Slow queries: 0  Opens: 0  Flush tables: 1  Open tables: 63  Queries per second avg: 0.000

--------------

MariaDB [test]> exit

dhcp38:~/Documents/mariadb # openssl ciphers FIPS -v

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD

...

DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1

AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1

ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD

ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256

ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1

ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD

....

https://bugzilla.suse.com/show_bug.cgi?id=920865

[MDEV-7695] MariaDB - ssl - fips: can not connect with --ssl-cipher=DHE-RSA-AES256-SHA - handshake failure Created: 2015-03-10 Updated: 2016-02-12 Resolved: 2015-05-03
Status:	Closed
Project:	MariaDB Server
Component/s:	SSL
Affects Version/s:	10.0.16
Fix Version/s:	5.5.44, 10.0.18

[MDEV-7695] MariaDB - ssl - fips: can not connect with --ssl-cipher=DHE-RSA-AES256-SHA - handshake failure Created: 2015-03-10 Updated: 2016-02-12 Resolved: 2015-05-03