Bug #55144 mysqld ignores specified ssl ciphers preventing the elimination weak ciphers
Submitted: 10 Jul 2010 0:21 Modified: 10 Jul 2010 5:42
Reporter: Chris Tilley Email Updates:
Status: Duplicate Impact on me:
Category:MySQL Server Severity:S2 (Serious)
Version:5.1.48 OS:Linux
Assigned to: CPU Architecture:Any
Tags: ssl_cipher ignored

[10 Jul 2010 0:21] Chris Tilley
Supposedly you can limit which ciphers are permittable for ssl connections to the server by setting them in the my.cnf or as command line options for mysqld using the ssl_cipher parameter.
 ssl_cipher = DHE-RSA-AES256-SHA

However, after setting this parameter, the mysql client is still able to negotiate an ssl connection using a weaker cipher such as RC4-MD5.

This issue is preventing us from blocking non-FIPS compliant ciphers.

How to repeat:
set the ssl_cipher parameter in my.cnf or as command line option for mysqld
  ssl_cipher = DHE-RSA-AES256-SHA

Then use the mysql client to connect to the server using the --ssl-cipher 
parameter specifying a different cipher than what you configured for the server.
  mysql -h <dbhost> -D <dbname> -u <user> --ssl-cipher=RC4-MD5 -p

Use the \s option at the mysql> prompt to show the negotiated cipher
[10 Jul 2010 5:42] Shane Bester
duplicate of bug #52596