[ODBC-230] SSLCIPHER doesn't seem to work on Windows Created: 2019-03-11  Updated: 2019-09-18  Resolved: 2019-09-18

Status: Closed
Project: MariaDB Connector/ODBC
Component/s: General
Affects Version/s: 3.0.8
Fix Version/s: 3.1.3

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Lawrin Novitsky
Resolution: Fixed Votes: 1
Labels: None

Issue Links:
Problem/Incident
is caused by CONC-393 TLSv1.2 ciphers are rejected on Windo... Closed
Relates
relates to CONC-398 IANA cipher names are not accepted wi... Open

 Description   

I am not sure if this is a MariaDB Connector/ODBC bug, or if this is a MariaDB Connector/C bug.

I am trying to set SSLCIPHER on Windows, but almost any value that I use results in the following error:

SSL connection error: no cipher match

For example, if I use a Linux client, and if I specify --ssl-cipher='AES256-GCM-SHA384', then the proper cipher is used:

$ mysql -u maxscale -ppassword --ssl-cipher='AES256-GCM-SHA384' -h 172.30.0.249
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 37
 
Server version: 10.1.38-MariaDB MariaDB Server
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> SHOW SESSION STATUS LIKE 'Ssl_cipher';
 
+---------------+-------------------+
 
| Variable_name | Value             |
 
+---------------+-------------------+
 
| Ssl_cipher    | AES256-GCM-SHA384 |
 
+---------------+-------------------+
 
1 row in set (0.00 sec)

MariaDB Connector/C seems to support OpenSSL's cipher names even when it is linked against Schannel, since it maintains a cipher map here:

https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L33

And it checks the map here:

https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L272

And I see that AES256-GCM-SHA384 is listed in the cipher map:

https://github.com/MariaDB/mariadb-connector-c/blob/db1a1a1d31cffd350f12e1ca5b0fd25f6a5ef0aa/libmariadb/secure/schannel.c#L139

However, if I set SSLCIPHER to AES256-GCM-SHA384, then I get the "no cipher match" error.

I see that the Schannel name for this cipher is TLS_RSA_WITH_AES_256_GCM_SHA384:

https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-10-v1809

If I set SSLCIPHER to TLS_RSA_WITH_AES_256_GCM_SHA384, then I also get the "no cipher match" error.

The only values that seem to work in SSLCIPHER so far are the special protocol values, like "TLSv1.0", "TLSv1.2", etc.

 Comments   
Comment by Georg Richter [ 2019-03-19 ]

Geoff, can you provide please windows version?

Comment by Geoff Montee (Inactive) [ 2019-03-19 ]

Hi georg,

It's Windows 10 Home. If you need the exact version, it looks like it's version 1803 OS build 17134.648.

Comment by Geoff Montee (Inactive) [ 2019-03-24 ]

With ODBC-229 implemented, I was able to get the AES256-GCM-SHA384 cipher to work with the following my.cnf:

[client-mariadb]
 
ssl-cipher=AES256-GCM-SHA384
 
tls_version="TLSv1.1,TLSv1.2"

Comment by Geoff Montee (Inactive) [ 2019-03-24 ]

With ODBC-228 implemented, I was also able to get the AES256-GCM-SHA384 cipher to work by reconfiguring the data source with the ODBC Data Source Administrator and on the "SSL Settings" dialog, checking the "TLSv1.1" and "TLSv1.2" checkboxes and setting SSLCIPHER to "AES256-GCM-SHA384".

Comment by Geoff Montee (Inactive) [ 2019-06-04 ]

The dependent MariaDB Connector/C bug will be fixed in MariaDB Connector/C 3.1.1.

Comment by Lawrin Novitsky [ 2019-09-17 ]

I seemingly cannot repeat this issue anymore with latest repo version linked against C/C 3.1.4. I didn't check what cipher is eventually used, but I could connect with AES256-GCM-SHA384

Comment by Geoff Montee (Inactive) [ 2019-09-18 ]

I believe that this was fixed starting with whichever version of Connector/ODBC was linked with MariaDB Connector/C 3.1.1 or later. I guess that would have been Connector/ODBC 3.1.2?

Generated at Thu Feb 08 03:27:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.