Description:
We want to only allow TLSv1.2 (and newer, whenever TLSv1.3 is available) for SSL connections to our MySQL servers. This is the first server for this configuration.
The "setup":
- Using MySQL Workbench v6.3.6 build 511 CE (64bit) on my Mac (macOS 10.12). OpenSSL version reports "OpenSSL 0.9.8zh 14 Jan 2016" (Check for Updates says this is the most up-to-date version).
- Using MySQL Workbench v6.3.7 build 1199 on Windows 7.
- MySQL Community Edition 5.7.11 from mysql.com yum repos on CentOS 6. OpenSSL version reports "OpenSSL 1.0.1e-fips 11 Feb 2013"
- Using wildcard SSL certificate (for *.dev.wgu.edu), which is signed by Symantec Class 3 G4 Intermediate CA for the MySQL server.
What works:
- When the "tls_version" variable in the [mysqld] section of the my.cnf file is not set, the MySQL Workbench on both Mac and Windows connects without issue.
= When the "tls_versoin" variable in the [mysqld] section of the my.cnf file is set to TLSv1, the MySQL Workbench on both Mac and Windows connects without issue.
What breaks:
-When the "tls_version" variable in the [mysqld] sections of the my.cnf file is set to TLSv1.1, the MySQL Workbench on Mac cannot connect (Windows still works fine). On my Mac, Workbench shows "SSL connection error: protocol version mismatch").
When I switch it back to TLSv1.0 or remove the "tls_version" setting, everything works.
Other Notes:
- CentOS 6 OpenSSL on this server doesn't support TLSv1.2; I'll be updating it to get that support or moving it to a CentOS 7 system.
- This is definitely NOT a problem with OpenSSL 0.9.x v OpenSSL 1.0.x generating the certs (e.g., PKCS#1 v. PKCS#8 format for the secret key file) ... it wasn't OpenSSL that was used to generate them back when and since it works with TLSv1 but not TLSv1.1 that kind of thing cannot be the problem. In other words, this can't be the problem because (a) OpenSSL wasn't involved and (b) it it was that kind of problem, it would be broken every time, not just in this one instance.
How to repeat:
Linux server:
- CentOS 6.
- Install MySQL 5.7.11 from the mysql.com YUM repo.
- Configure to support SSL with a wildcard SHA256 signatures, but the self-signature and the CA signature.
- Include "tls_version=TLSv1.1" in the server SSL config.
Mac client:
- (probably any "modern" version from the past couple of years, all the way to fully up-to-date)
- Install latest MySQL Workbench
- Configure to connect to the server with SSL, using only the CA certificate (which signed the SSL cert, of course) in the connection config.
Test or try to connect to the server from the Mac MySQL client and observe the error.
Suggested fix:
Wish I had a fix. I have some theories which I have not been able to take time to test (yet?):
- Switch to a newer version of OpenSSL on the Mac, such as installed with home-brew or similar.
- Update server to newer version of OpenSSL which supports TLSv1.2 (perhaps the newer version has some TLSv1.1 fixes which apply?).
- Upgrade server to support TLSv1.2 (newer OpenSSL) and try using TLSv1.2, skipping TLSv1.1 entirely.