[#MXS-3665] Provide more feedback on TLS cipher mismatch

Wouldn't it be possible to see what the server (or MaxScale) offers using openssl s_client with the -starttls mysql option? This seems to provide the set of shared ciphers between the client and the host:

CONNECTED(00000003)

---

Certificate chain

 0 s:C = FI, L = Default City, O = MariaDB, CN = localhost

   i:C = FI, L = Default City, O = Default Company Ltd, CN = localhost

 1 s:C = FI, L = Default City, O = Default Company Ltd, CN = localhost

   i:C = FI, L = Default City, O = Default Company Ltd, CN = localhost

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFSzCCBDOgAwIBAgIBBDANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJGSTEV

MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg

THRkMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjIwMzAyMDc0NDE4WhcNMzAwNTE5

MDc0NDE4WjBKMQswCQYDVQQGEwJGSTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRAw

DgYDVQQKDAdNYXJpYURCMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3

DQEBAQUAA4ICDwAwggIKAoICAQDMMuZkc/YdlHyGSfLtEBL8It99ovwZbE+X3j2Y

jJglvMTNYDEWnPTvv4WQhZyNtscEgzPxWfuwGisdts8mhL1k/vLCGqsD6t+9PXn9

a+b3a1cTXo2BnJaGlyKo7z3/xfQ+9PrDNnjHivZxA/lE4+FiaX1ZSOsydOAakuf5

D5Qolb/yPXtNxMNzxjbS03RuoQvjyEtzfkG/y7DVCPrG/DfA0iyyCT/DjG3BJ10c

hhJrJVOnfI/uHz/8sBL+t7RivlyKUUgQSXMeaC9VG3NGKjcW7s9JLvE+Mr7YT6Wk

CcSriaJHjZX0vn2lMzMGyNfC76rxJc3lw+wzzfg1UvhoRwVlOloyeLnpBJPibYOM

E8XjPLMjVs94y/mnApPEnxn/zBECWAzSk015y9oc85pDIkf4p+gZF5yKKyo0CpcU

2DGUX25BV5j8j7Q4Mhb9t8V6Z4hrV6T5z5ivGi+0Ko6IzdWTLENxk1IAtDUYeIJJ

4vwAqFIp5wIn5tQ1saWUqvC2VkIJUZtS2GWYcHOqEIkLK8ie1qMwJCyIbkcgP8Jj

leFtMy4n7Y3kb+Bn/+giVU8t3CA4Wd3+RBBR8xipX4KOGpSVwfvQL4iZs3Ki6xHb

urh7QdkqEFxHARAzv5Hy++ku+XAHQQw/6JxXWXxgNLl1Z0B3K+9AABZJhX22gbOJ

vVxzUwIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAw

MwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZp

Y2F0ZTAdBgNVHQ4EFgQU/H83Qo8QrOF9FY8Wk697g4GbYMEwewYDVR0jBHQwcqFa

pFgwVjELMAkGA1UEBhMCRkkxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UE

CgwTRGVmYXVsdCBDb21wYW55IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0ghRW6igW

Yy+h+eMfgyMTlhlEi+GpiDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB

BQUHAwEwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQCe

FkNGM6ZnRMWHo7ahbYc7d2bjS0as0o11cX3VJS53uXV+8XhIqr4JVVe1nANybQPr

BJEVgswqDwOoV4+y0C2TcQYlqqKUvmX/cgusS0bfSCi9TROWCJQovvQB/VfylRnn

TzhVK0XO2oVP/9NWUZcEfnxtFG96G/dXRTIxmYt9bfFmzWIaB5TcEqnWV+6D1CfE

OL3vYBwmc/cMdIH/B1ajVqfiaPEGcyNyMSVbIQ0PRqYxwu7m3Rc57xRStOukE0zR

GDWQV45Fi62m5OCwmY0+nZG2o328ZioSiqqQuxiVj82gaAXkiYqT3Pv4dUX48Aq3

SLxUE2uWlW3O5Kyy/bFA

-----END CERTIFICATE-----

subject=C = FI, L = Default City, O = MariaDB, CN = localhost

issuer=C = FI, L = Default City, O = Default Company Ltd, CN = localhost

---

No client certificate CA names sent

Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224

Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512

Peer signing digest: SHA256

Peer signature type: RSA-PSS

Server Temp Key: X25519, 253 bits

---

SSL handshake has read 3183 bytes and written 431 bytes

Verification: OK

---

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Server public key is 4096 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

2022-03-07 16:53:13 error : (34) SSL operation failed for Client DCB at '::1': error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (Client ciphers: TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256:GOST2012-GOST8912-GOST8912:GOST2012-NULL-GOST12) (Our ciphers: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-CCM:AES128-GCM-SHA256:AES128-CCM:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM:PSK-AES128-GCM-SHA256:PSK-AES128-CCM:PSK-AES256-CBC-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:DHE-PSK-AES256-GCM-SHA384:DHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM:DHE-PSK-AES256-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:RSA-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:RSA-PSK-AES256-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA)

[MXS-3665] Provide more feedback on TLS cipher mismatch Created: 2021-07-10 Updated: 2022-04-12 Resolved: 2022-03-08
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	Core
Affects Version/s:	None
Fix Version/s:	2.5.20, 6.2.4, 22.08.0

[MXS-3665] Provide more feedback on TLS cipher mismatch Created: 2021-07-10 Updated: 2022-04-12 Resolved: 2022-03-08