maria-discuss team mailing list archive

[Kenneth Penza <kpenza@xxxxxxxxx>]

Hi Vladislav,

Thanks for the feedback. I will update  MDEV-13492 (
https://jira.mariadb.org/browse/MDEV-13492) with the setup details,
certificate generation and network traces.

Kenneth



On Fri, Oct 25, 2019 at 7:00 PM Vladislav Vaintroub <vvaintroub@xxxxxxxxx>
wrote:

> Hi Kenneth,
>
>
>
> There have been some reports about this symptoms, but nothing that we
> would be able to reproduce on any of our machines.
>
> So far I think the SSL handshake error that was seen was either
> intermittent “Unknown SSL error (0x80090308)”, say one in couple of hundred
> attempts. for which a workaround  is planned (
> *https://jira.mariadb.org/browse/CONC-417*
> <https://jira.mariadb.org/browse/CONC-417> and several others) . The
> occasional handshake error seems to be schannels own bug, which we could
> reproduce on some machines, and  IIRC could workaround by  disabling some
> ciphers by fiddling in Schannel’s registry.
>
>
>
> The second one that I heard of, was a complaint by a user, that his
> self-issued certificate works, and company-issued certificate does not,
> failing always with Unknown SSL error (0x80090308) . Unfortunately that
> user did not provide any detail on what he was seeing apart from this
> cryptic description.
>
>
>
> The most reasonable thing you could do to help us to help you, is to use
> that existing bug in JIRA to provide as much information as possible about
> your case, I.e whether or notm the bug is sporadic, whether you’re trying
> to force a specific cipher, details of certificate you’re using on server
> side, and a network trace that you can collect e.g  with wireshark, or
> tcpdump on either server or on client side.
>
>
>
> Now why the MySQL client does not fail, it is using the same SSL
> implementation (openssl) on the both client and server side.
>
>
>
> *From: *Kenneth Penza <kpenza@xxxxxxxxx>
> *Sent: *Friday, 25 October 2019 11:07
> *To: *Mailing-List mariadb <maria-discuss@xxxxxxxxxxxxxxxxxxx>
> *Subject: *[Maria-discuss] SSL issue with Windows MariaDB client
>
>
>
> Good morning,
>
>
>
> Whilst testing SSL of a MariaDB server version 10.4.8 running Linux from a
> Windows 10 machine I noted that connection using MySQL client
> (mysql-8.0.18-winx64) connects successfully, however connections with
> MariaDB client (mariadb-10.4.8-winx64) fails.
>
>
>
> In case of MariaDB I have downloaded the file (
> https://downloads.mariadb.org/interstitial/mariadb-10.4.8/winx64-packages/mariadb-10.4.8-winx64.zip/from/https%3A//mirror.serverion.com/mariadb
> <https://downloads.mariadb.org/interstitial/mariadb-10.4.8/winx64-packages/mariadb-10.4.8-winx64.zip/from/https%3A/mirror.serverion.com/mariadb>),
> whilst for MySQL client I used (
> https://dev.mysql.com/downloads/file/?id=490026).
>
>
>
>
>
> C:\temp\mariadb-10.4.8-winx64>mysql --user=penzk001 --password
> --host=<hostname> --port=3306 --tls-version=TLSv1.2
> --ssl-ca=c:\temp\CACert.pem
>
> Enter password: ********
> ERROR 2026 (HY000): Unknown SSL error (0x80090308)
>
> C:\temp\mariadb-10.4.8-winx64\bin> cd ..\mysql-8.0.18-winx64\bin
>
> C:\temp\mysql-8.0.18-winx64\bin>  mysql --user=penzk001 --password
> --host=<hostname> --port=3306 --tls-version=TLSv1.2
> --ssl-ca=c:\temp\CACert.pem
>
> Welcome to the MySQL monitor.  Commands end with ; or \g.
>
> ...
>
> mysql>\s
>
> ...
>
> SSL:                    Cipher in use is DHE-RSA-AES128-GCM-SHA256
>
> ...
>
> mysql>
>
>
>
> To ensure that the SSL certificate is valid I also tried
> "--ssl-mode=VERIFY_IDENTITY" with the mysql-8.0.18 client and it worked
> fine.
>
>
>
> Regards
>
> Kenneth
>
>
>
>
>