| Bug #71314 | No documentation about support SSL ciphers and protocols | ||
|---|---|---|---|
| Submitted: | 7 Jan 2014 22:02 | Modified: | 5 Apr 2015 9:40 |
| Reporter: | Daniël van Eeden (OCA) | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Connection Handling | Severity: | S3 (Non-critical) |
| Version: | 5.6.14 | OS: | Any |
| Assigned to: | Paul DuBois | CPU Architecture: | Any |
[28 Jan 2014 18:42]
Sveta Smirnova
Thank you for the report. Verified almost as described: for me works following ciphers among "unsupported". Testing EXP-DES-CBC-SHA: OK Testing EXP-RC2-CBC-MD5: OK Testing EXP-RC4-MD5: OK
[3 Apr 2015 14:53]
Paul DuBois
Protocol is TLSv1. SSL 2.0 and SSL 3.0 were disabled in 5.5.42, 5.6.23 as too weak.
[3 Apr 2015 20:07]
Paul DuBois
Cipher and protocol info now listed here: http://dev.mysql.com/doc/refman/5.7/en/ssl-options.html#option_general_ssl-cipher
[5 Apr 2015 9:40]
Daniël van Eeden
Thanks for fixing this bug. MySQL indeed only supports TLS 1.0 as protocol. So my statement in the initial description was wrong as that lists SSL3 as supported (SSL3 and TLS1.0 are *almost* the same) Support for TLS 1.1 and 1.2 is requested in Bug #75239 >Protocol is TLSv1. SSL 2.0 and SSL 3.0 were disabled in 5.5.42, 5.6.23 as too weak. In those versions extra measures were taken to disable SSL2 and SSL3, but that doesn't mean those were available/enabled in earlier versions.
[30 Apr 2015 17:46]
Paul DuBois
Protocol info is moving here: http://dev.mysql.com/doc/refman/5.7/en/ssl-connections.html
[5 Dec 2015 22:52]
Paul DuBois
Protocol/cipher information is now located here: http://dev.mysql.com/doc/refman/5.7/en/secure-connection-protocols-ciphers.html In particular, as of MySQL 5.7.10, there is support for TLSv1.1 and TLSv1.2.
Description: There is no information about SSL/TLS protocol support. It looks like it is like this: SSLv3: Supported TLSv1.1: Not supported TLSv1.2: Not supported And for the keyexchange this is supported: - RSA - DH - DH(512) And for authentication - RSA How to repeat: Ciphers which do work: $ for cipher in $(openssl ciphers -v 'DEFAULT' | awk '/SSLv3 Kx=(RSA|DH|DH\(512\)) *Au=RSA/ { print $1 }'); do echo -en "Testing ${cipher}: "; ./my sql -u x509test -px509test -h 127.0.0.1 --ssl-ca=ssl/CAcert.pem --ssl-cert=ssl/client-cert.pem --ssl-key=ssl/client-key.pem --ssl-cipher=${cipher} -e QUIT 2> /dev/null; if [ $? -eq 0 ]; then echo "OK"; else echo "FAILED"; fi; done Testing DHE-RSA-AES256-SHA: OK Testing DHE-RSA-CAMELLIA256-SHA: OK Testing AES256-SHA: OK Testing CAMELLIA256-SHA: OK Testing EDH-RSA-DES-CBC3-SHA: OK Testing DES-CBC3-SHA: OK Testing DHE-RSA-AES128-SHA: OK Testing DHE-RSA-SEED-SHA: OK Testing DHE-RSA-CAMELLIA128-SHA: OK Testing AES128-SHA: OK Testing SEED-SHA: OK Testing CAMELLIA128-SHA: OK Testing RC4-SHA: OK Testing RC4-MD5: OK Testing EDH-RSA-DES-CBC-SHA: OK Testing DES-CBC-SHA: OK Testing EXP-EDH-RSA-DES-CBC-SHA: OK Ciphers which do not work: for cipher in $(openssl ciphers -v 'DEFAULT' | egrep -v 'SSLv3 Kx=(RSA|DH|DH\(512\)) *Au=RSA' | awk '{ print $1 }'); do echo -en "Testing ${cipher}: "; ./my sql -u x509test -px509test -h 127.0.0.1 --ssl-ca=ssl/CAcert.pem --ssl-cert=ssl/client-cert.pem --ssl-key=ssl/client-key.pem --ssl-cipher=${cipher} -e QUIT 2> /dev/null; if [ $? -eq 0 ]; then echo "OK"; else echo "FAILED"; fi; done *some very long list* Suggested fix: Update documentation with the list which is supported by default. http://dev.mysql.com/doc/refman/5.6/en/ssl-options.html#option_general_ssl-cipher This is probably different if OpenSSL is used instead of YaSSL. This is the message I get on the client when the cipher or protocol is not supported: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)