Description:
Our hosting services probably updated OpenSSL version, that requires a stronger Diffie Hellman key (due to Logjam vulnerability), but didn't update the keys themselves.
Hence, my connection to the database server has failed.
To workaround this issue, I tried to define a non-DH cipher using option files.
After testing and looking into the source code, it seems that this option is not being read, hence I still could not connect.
How to repeat:
Set DHE-RSA-AES256-SHA as a default cipher for SSL connections on the server.
Produce keys with size less than 768 bits.
Install the latest OpenSSL version.
Try to connect using MySQL Connector/Python with SSL and specify non-DH cipher in option file.
You should get the following traceback, given the configuration below.
database.cnf:
[client]
ssl-cipher = AES256-SHA
connection_config = {
'client_flags': [ClientFlag.SSL],
'host': '<host>',
'port': '<port>',
'user': '<user>',
'password': '<password>',
'database': '<database>',
'ssl_ca': '/.../ca_certificate.pem',
'ssl_cert': '/.../client_certificate.pem',
'ssl_key': '/.../key_certificate.pem',
'option_files': '/.../database.cnf'
}
Traceback (most recent call last):
...
File "/.../backend/database.py", line 91, in _connect
connection = mysql.connector.connect(**connection_config)
File "/.../lib/python2.7/site-packages/mysql/connector/__init__.py", line 136, in connect
return connect(**new_config)
File "/.../lib/python2.7/site-packages/mysql/connector/__init__.py", line 159, in connect
return MySQLConnection(*args, **kwargs)
File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 129, in __init__
self.connect(**kwargs)
File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 454, in connect
self._open_connection()
File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 421, in _open_connection
self._ssl)
File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 194, in _do_auth
self._socket.switch_to_ssl(**ssl_options)
File "/.../lib/python2.7/site-packages/mysql/connector/network.py", line 385, in switch_to_ssl
errno=2055, values=(self.get_address(), _strioerror(err)))
InterfaceError: 2055: Lost connection to MySQL server at 'hostnamremoved.com:3307', system error: 1 _ssl.c:504: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
Suggested fix:
Add support for reading ssl-cipher from option files.
Description: Our hosting services probably updated OpenSSL version, that requires a stronger Diffie Hellman key (due to Logjam vulnerability), but didn't update the keys themselves. Hence, my connection to the database server has failed. To workaround this issue, I tried to define a non-DH cipher using option files. After testing and looking into the source code, it seems that this option is not being read, hence I still could not connect. How to repeat: Set DHE-RSA-AES256-SHA as a default cipher for SSL connections on the server. Produce keys with size less than 768 bits. Install the latest OpenSSL version. Try to connect using MySQL Connector/Python with SSL and specify non-DH cipher in option file. You should get the following traceback, given the configuration below. database.cnf: [client] ssl-cipher = AES256-SHA connection_config = { 'client_flags': [ClientFlag.SSL], 'host': '<host>', 'port': '<port>', 'user': '<user>', 'password': '<password>', 'database': '<database>', 'ssl_ca': '/.../ca_certificate.pem', 'ssl_cert': '/.../client_certificate.pem', 'ssl_key': '/.../key_certificate.pem', 'option_files': '/.../database.cnf' } Traceback (most recent call last): ... File "/.../backend/database.py", line 91, in _connect connection = mysql.connector.connect(**connection_config) File "/.../lib/python2.7/site-packages/mysql/connector/__init__.py", line 136, in connect return connect(**new_config) File "/.../lib/python2.7/site-packages/mysql/connector/__init__.py", line 159, in connect return MySQLConnection(*args, **kwargs) File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 129, in __init__ self.connect(**kwargs) File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 454, in connect self._open_connection() File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 421, in _open_connection self._ssl) File "/.../lib/python2.7/site-packages/mysql/connector/connection.py", line 194, in _do_auth self._socket.switch_to_ssl(**ssl_options) File "/.../lib/python2.7/site-packages/mysql/connector/network.py", line 385, in switch_to_ssl errno=2055, values=(self.get_address(), _strioerror(err))) InterfaceError: 2055: Lost connection to MySQL server at 'hostnamremoved.com:3307', system error: 1 _ssl.c:504: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small Suggested fix: Add support for reading ssl-cipher from option files.