Bug #82935 Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported
Submitted: 9 Sep 2016 21:46 Modified: 19 Sep 2016 12:24
Reporter: Sveta Smirnova (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S3 (Non-critical)
Version:5.7.15 OS:Any
Assigned to: CPU Architecture:Any

[9 Sep 2016 21:46] Sveta Smirnova
Description:
Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in the list of supported ciphers at https://dev.mysql.com/doc/refman/5.7/en/secure-connection-protocols-ciphers.html, but practically it is not supported.

How to repeat:
Download 5.7.15, start it with SSL support. Try to connect using ECDHE-RSA-AES128-GCM-SHA256.

Suggested fix:
Support ECDHE-RSA-AES128-GCM-SHA256.
[19 Sep 2016 12:24] Umesh Shastry
Hello Sveta,

Thank you for the report.

Thanks,
Umesh
[20 Sep 2016 10:14] Laurynas Biveinis
Bug 82935 fix for 5.7

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug82935-5.7.patch (application/octet-stream, text), 19.19 KiB.

[20 Sep 2016 10:15] Laurynas Biveinis
Bug 82935 fix for 8.0

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug82935-8.0.patch (application/octet-stream, text), 19.87 KiB.

[14 Apr 2017 9:06] Laurynas Biveinis
Bug 82935 fix for 8.0.1

Attachment: bug82935-8.0.1.patch (application/octet-stream, text), 20.00 KiB.

[4 Aug 2017 19:28] Laurynas Biveinis
Bug 82935 fix for 8.0.2

Attachment: bug82935-8.0.2.patch (application/octet-stream, text), 20.35 KiB.

[1 Feb 10:45] Laurynas Biveinis
Bug 82935 fix for 8.0.4

Attachment: bug82935-8.0.4.patch (application/octet-stream, text), 23.58 KiB.

[1 Feb 10:49] Laurynas Biveinis
Fix updated for 8.0.4. The main difference is in MTR due to OpenSSL 1.1 support. The latter version also negotiates EC ciphers by default, while my patch enables that for OpenSSL 1.0. A nice side effect in testsuite is that all OpenSSL-specific testcases now always negotiate the same EC cipher, thus dropped a few --replace_result replacements and the whole previously-contributed main.ssl_ecdh became redundant.

(It is very annoying that bugs with Contributions in Accepted state cannot receive new contributions)