Description:
The Ssl_cipher_list status variable lists supported SSL ciphers. However, the list is truncated (at 1023 characters):
mysql> show status like 'ssl_cipher_list'\G
*************************** 1. row ***************************
Variable_name: Ssl_cipher_list
Value: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-R
SA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES2
56-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-D
SS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES
256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS
-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RS
A-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-S
HA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA
:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA2
56:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS
-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-
SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE
-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-C
1 row in set (0.00 sec)
There is no "DHE-RSA-C" cipher; it is presumably the start of "DHE-RSA-CAMELLIA[128|258]-SHA".
This is problematic because a truncated list may obscure vulnerable ciphers which are enabled. This output is consistent whether pulled from GLOBAL or SESSION variables, P_S or SHOW commands, with show_compatibility_56 ON or OFF.
How to repeat:
* Compile MySQL Server with OpenSSL
* Connect with SSL (*required to get Ssl_cipher_list)
* SHOW STATUS LIKE 'Ssl_cipher_list';
* Observe truncated list.
Suggested fix:
Do not truncate list, or provide alternate means to expose full list (and deprecate status variable, which is frankly a crazy way to do this).
© 2024, Oracle Corporation and/or its affiliates
Description: The Ssl_cipher_list status variable lists supported SSL ciphers. However, the list is truncated (at 1023 characters): mysql> show status like 'ssl_cipher_list'\G *************************** 1. row *************************** Variable_name: Ssl_cipher_list Value: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-R SA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES2 56-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-D SS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES 256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS -CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RS A-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-S HA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA :ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA2 56:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS -AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM- SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE -RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-C 1 row in set (0.00 sec) There is no "DHE-RSA-C" cipher; it is presumably the start of "DHE-RSA-CAMELLIA[128|258]-SHA". This is problematic because a truncated list may obscure vulnerable ciphers which are enabled. This output is consistent whether pulled from GLOBAL or SESSION variables, P_S or SHOW commands, with show_compatibility_56 ON or OFF. How to repeat: * Compile MySQL Server with OpenSSL * Connect with SSL (*required to get Ssl_cipher_list) * SHOW STATUS LIKE 'Ssl_cipher_list'; * Observe truncated list. Suggested fix: Do not truncate list, or provide alternate means to expose full list (and deprecate status variable, which is frankly a crazy way to do this).