Bug #55144 mysqld ignores specified ssl ciphers preventing the elimination weak ciphers
Submitted: 10 Jul 2010 0:21 Modified: 10 Jul 2010 5:42
Reporter: Chris Tilley Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.1.48 OS:Linux
Assigned to: CPU Architecture:Any
Tags: ssl_cipher ignored

[10 Jul 2010 0:21] Chris Tilley 
Description:
Supposedly you can limit which ciphers are permittable for ssl connections to the server by setting them in the my.cnf or as command line options for mysqld using the ssl_cipher parameter.
ex:
 ssl_cipher = DHE-RSA-AES256-SHA

However, after setting this parameter, the mysql client is still able to negotiate an ssl connection using a weaker cipher such as RC4-MD5.

This issue is preventing us from blocking non-FIPS compliant ciphers.

How to repeat:
set the ssl_cipher parameter in my.cnf or as command line option for mysqld
ex:
  ssl_cipher = DHE-RSA-AES256-SHA

Then use the mysql client to connect to the server using the --ssl-cipher 
parameter specifying a different cipher than what you configured for the server.
ex:  
  mysql -h <dbhost> -D <dbname> -u <user> --ssl-cipher=RC4-MD5 -p

Use the \s option at the mysql> prompt to show the negotiated cipher
[10 Jul 2010 5:42] MySQL Verification Team 
duplicate of bug #52596