Bug #81496 Add runtime configuration option to allow use of cipher suites below 2048 bits
Submitted: 19 May 2016 6:13
Reporter: L L Email Updates:
Status: Open Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S4 (Feature request)
Version:5.6.26 OS:Any
Assigned to: CPU Architecture:Any

[19 May 2016 6:13] L L 
Description:
Issue is described in the following blog post:

http://mysqlblog.fivefarmers.com/2015/08/11/ssltls-connections-to-recent-mysql-servers-in-...

To summarize, newer versions of MySQL require use of ciphers of at least 2048 bits.  Unfortunately, only later versions of Java 8 support ciphers with 2048 bits.

My organization has not made the move up to recent versions of Java 8 nor will it do so in the near future.  The blog author has suggested that the requirement of the use of 2048 bit ciphers should be made into a run time configuration option - and I am proposing that now for clients who are required (or are resigned) to use older versions of Java, e.g. at least Java 6, 7, and earlier versions of 8.

How to repeat:
Replication steps are described in the blog post:

http://mysqlblog.fivefarmers.com/2015/08/11/ssltls-connections-to-recent-mysql-servers-in-...

Suggested fix:
Create runtime configuration flag that will allow one to override the default requiring a 2048 bit cipher, e.g. in the my.cnf (I'm sure you can define the text for the key a lot better):

ssl-cipher-allow-simpler-cipher-suite=true