MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error. === MySQL server version :- 5.6.23-log Source distribution Custom OpenSSL version :- OpenSSL 1.0.1j 15 Oct 2014 Java version :- 1.8.0_40 === Error thrown with TLS1.2 cipher connect :- mysql -umysql --ssl-cipher=DHE-RSA-AES256-SHA256 -T -v ERROR 2026 (HY000): SSL connection error: error:0001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2664, Integral resident set size 0 Non-physical pagefaults 777, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 2, Involuntary context switches 5 === Snippet of my.cnf :- [client] default-character-set=utf8 ssl=ON ssl-ca=/home/mysql-cert/ca.pem ssl-cert=/home/mysql-cert/client-cert.pem ssl-key=/home/mysql-cert/client-key.pem [mysql] default-character-set=utf8 [mysqld] general_log=1 ssl-cipher=DHE-RSA-AES256-SHA256 ssl-cipher=AES256-SHA256 ssl-cipher=AES256-SHA ssl-ca=/home/mysql-cert/ca.pem ssl-cert=/home/mysql-cert/server-cert.pem ssl-key=/home/mysql-cert/server-key.pem === MySQL prompt snipeet with TLS1.0 cipher connected :- mysql \s -- mysql Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper Connection id: 6 Current database: Current user: root@localhost SSL:Cipher in use is AES256-SHA Current pager: stdout Using outfile: '' Using delimiter:; Server version: 5.6.23-log Source distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset:latin1 Db characterset:latin1 Client characterset:utf8 Conn. characterset:utf8 UNIX socket:/tmp/mysql.sock Uptime: 1 hour 32 min 40 sec Threads: 1 Questions: 11 Slow queries: 0 Opens: 67 Flush tables: 1 Open tables: 60 Queries per second avg: 0.001 -- mysql SHOW STATUS LIKE 'ssl%'; ++--+ | Variable_name | Value| ++--+ | Ssl_accept_renegotiates| 0| | Ssl_accepts| 6| | Ssl_callback_cache_hits| 0| | Ssl_cipher | AES256-SHA | | Ssl_cipher_list| AES256-SHA | | Ssl_client_connects| 0| | Ssl_connect_renegotiates | 0| | Ssl_ctx_verify_depth | 18446744073709551615 | | Ssl_ctx_verify_mode| 5| | Ssl_default_timeout| 7200 | | Ssl_finished_accepts | 3| | Ssl_finished_connects | 0| | Ssl_server_not_after | Jan 23 10:29:20 2025 GMT | | Ssl_server_not_before | Mar 17 10:29:20 2015 GMT | | Ssl_session_cache_hits | 0| | Ssl_session_cache_misses | 0| | Ssl_session_cache_mode | SERVER | | Ssl_session_cache_overflows| 0| | Ssl_session_cache_size | 128 | | Ssl_session_cache_timeouts | 0| | Ssl_sessions_reused| 0| | Ssl_used_session_cache_entries | 0| | Ssl_verify_depth | 18446744073709551615 | | Ssl_verify_mode| 5| | Ssl_version| TLSv1| ++--+ 25 rows in set (0.00 sec) mysql SHOW VARIABLES LIKE '%ssl%'; +---+--+ | Variable_name | Value| +---+--+ | have_openssl | YES | | have_ssl | YES | | ssl_ca| /home/mysql-cert/ca.pem | | ssl_capath| | | ssl_cert | /home/mysql-cert/server-cert.pem | | ssl_cipher| AES256-SHA | | ssl_crl | | | ssl_crlpath | | | ssl_key | /home/mysql-cert/server-key.pem | +---+--+ 9 rows in set (0.00 sec) mysql === MySQL compiled as :- cmake . -DCMAKE_PREFIX_PATH=/opt/scr-openssl/ssl/ -DWITH_SSL=/opt/scr-openssl/ssl/ -DWITH_OPENSSL=/opt/scr-openssl/ssl/bin/ -DWITH_OPENSSL_INCLUDES=/opt/scr-openssl/ssl/include/ -DWITH_OPENSSL_LIBS=/opt/scr-openssl/ssl/lib/ -DENABLE_DOWNLOADS
Re: MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
Am 17.03.2015 um 13:21 schrieb Bhushan Rane: I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA (AES256 is supported but not more secure than AES128) * no ECHDE * no AES-GCM * no SHA256 no idea how they manage that because openssl has support ___ ssl-cipher=DHE-RSA-AES256-SHA256 ssl-cipher=AES256-SHA256 are not supported and don't make much sense anyways ___ the currently best ciphersuite would be the following because AES-GCM is hardware optimized on recent machines (Intel AES) and GCM is *always* better than a stupid CBC cipher ECDHE-RSA-AES128-GCM-SHA256 signature.asc Description: OpenPGP digital signature
Re: MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
Am 17.03.2015 um 14:25 schrieb Bhushan Rane: Thanks for instant reply. As suggested I tried with ECDHE-RSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-SHA but no luck. Created new certs for EC - configured my.cnf with new certs you *did not* really read my reply MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA (AES256 is supported but not more secure than AES128) * no ECHDE * no AES-GCM * no SHA256 Below are commands used for cert creation :- /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_root.key -name secp384r1 -genkey echo -e US\nObt\nIntelSelfSA\nSSG\nTesters\nCAServer\n\n\n | /opt/scr-openssl/ssl/bin/openssl req -new -x509 -days 365 -key ecc_ecdsa_root.key -out ecc_ecdsa_root.pem /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_ca.key -name secp384r1 -genkey echo -e US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLServer\n\n\n | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_ca.key -out ecc_ecdsa_ca.csr /opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_1.ext -days 365 -in ecc_ecdsa_ca.csr -CA ecc_ecdsa_root.pem -CAkey ecc_ecdsa_root.key -out ecc_ecdsa_ca.pem -CAcreateserial /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_client.key -name secp384r1 -genkey echo -e US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLClient\n\n\n | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_client.key -out ecc_ecdsa_client.csr /opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_2.ext -days 365 -in ecc_ecdsa_client.csr -CA ecc_ecdsa_ca.pem -CAkey ecc_ecdsa_ca.key -out ecc_ecdsa_client.pem -CAcreateserial mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 -T -v Enter password: ERROR 2026 (HY000): SSL connection error: error:0001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2728, Integral resident set size 0 Non-physical pagefaults 793, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 3, Involuntary context switches 3 mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-SHA -T -v Enter password: ERROR 2026 (HY000): SSL connection error: error:0001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2748, Integral resident set size 0 Non-physical pagefaults 798, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 4, Involuntary context switches 5 Also, check openssl - used openssl supports EC ciphers listed above. Am 17.03.2015 um 13:21 schrieb Bhushan Rane: I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA (AES256 is supported but not more secure than AES128) * no ECHDE * no AES-GCM * no SHA256 no idea how they manage that because openssl has support ___ ssl-cipher=DHE-RSA-AES256-SHA256 ssl-cipher=AES256-SHA256 are not supported and don't make much sense anyways ___ the currently best ciphersuite would be the following because AES-GCM is hardware optimized on recent machines (Intel AES) and GCM is *always* better than a stupid CBC cipher ECDHE-RSA-AES128-GCM-SHA256 signature.asc Description: OpenPGP digital signature
