maria-developers team mailing list archive

Thread
Date

New KB Question: SSL with other Clients than the original MariaDB-client?

To: Maria Developers <maria-developers@xxxxxxxxxxxxxxxxxxx>
From: Daniel Bartholomew <dbart@xxxxxxxxxxxxxxxx>
Date: Fri, 3 Feb 2012 12:28:24 -0500
Organization: Monty Program

A new question has been posted to the Knowledgebase.

http://kb.askmonty.org/en/ssl-with-other-clients-than-the-original-mariadb-client
====================
It seems to be that there is a difference in handling the SSL handshake
at the MariaDB-Server (5.2 or below) in contrast to the Mysql-Server
5.1. All JDBC-Clients can sucessfully connect to the Mysql-Server 5.1
via SSL, but with MariaDB-Server not. Without SSL all JDBC-Clients can
sucessfully connect to MariaDB. 

Both server run with the same CA-, Server- and Client-Certificates and
I have made the following tests (all with MariaDB Server 5.2.10 and
also tested with 5.1.60 from the Deb-Repository): 

 * Mysql-Client (5.1) cannot connect to MariaDB Server: "ERROR 2026
   (HY000): SSL connection error"
 * Mysql-connector/J cannot connect to MariaDB Server: TLSv1 Handshake
   fails with "unexpected message" after ClientHello
 * Drizzle JDBC cannot connect to MariaDB-Server: TLSv1 Handshake fails
   also with "unexpected message" after ClientHello
 * Original MariaDB-Client (5.2) can connect easily via SSL with the
   CA-Certificate to MariaDB-Server. 

It seems to be a general communication problem in the SSL-Handshake
after ClientHello. 

Is it a bug or a feature? 

Debug-Log of Java:
<<fixed>>
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
  ClientHello, TLSv1
RandomCookie:  GMT: 1328138424 bytes
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
\\TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
\\TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
\\SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
\\SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, \\
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
\\SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
\\SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV] \\ Compression Methods:  { 0 } \\
[write] MD5 and SHA1 hashes:  len = 75 \\ main, WRITE: TLSv1 Handshake,
length = 75 \\ [Raw write]: length = 80 \\ [Raw read]: length = 5 \\
0000: 16 00 00 02 FF                                     .....\\ main,
handling exception: javax.net.ssl.SSLException: Unsupported record
version Unknown-0.0\\ main, SEND TLSv1 ALERT:  fatal, description =
unexpected_message\\ main, WRITE: TLSv1 Alert, length = 2\\ <</fixed>>
====================

Thanks!

-- 
Daniel Bartholomew
MariaDB - http://mariadb.org
Monty Program - http://montyprogram.com
AskMonty Knowledgebase - http://kb.askmonty.org