maria-developers team mailing list archive

Thread
Date

Re: nariadb 10.1.13 fails with openssl on gentoo

To: Benny Pedersen <me@xxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Sun, 17 Apr 2016 17:29:57 +0200
Cc: maria-developers@xxxxxxxxxxxxxxxxxxx
In-reply-to: <5712CD2C.7010407@junc.eu>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi, Benny!

On Apr 17, Benny Pedersen wrote:
> if openssl works for othres i like to know a working my.cnf to make it
> work, i have added my ssql same way as used in dovecot / postfix, no ssl
> error in mysql, but openssl s_client -showcerts -connect 127.0.0.1:3306
> says ssl23 fails, at best i see ssl3 tlsv1 fails, output is
> CONNECTED(00000003)

Of course, this cannot possibly work.

See the client-server protocol description, for example, here:
https://dev.mysql.com/doc/internals/en/connection-phase.html

When the client connects, the server sends the initial handshake packet
(where the server announces that it supports SSL). The client replies
that it also supports SSL. Only then the server and client actually
start using SSL.

s_client does not know MariaDB/MySQL protocol, it cannot do this initial
protocol handshake, so you cannot use it to probe MariaDB or MySQL
servers.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

nariadb 10.1.13 fails with openssl on gentoo
From: Benny Pedersen, 2016-04-16