maria-discuss team mailing list archive

[Kenneth Penza <kpenza@xxxxxxxxx>]

Just a small update, MDEV-13492 updated with the mentioned details.

Kenneth

On Sat, Oct 26, 2019 at 2:45 PM Kenneth Penza <kpenza@xxxxxxxxx> wrote:

> Hi Vladislav,
>
> Thanks for the feedback. I will update  MDEV-13492 (
> https://jira.mariadb.org/browse/MDEV-13492) with the setup details,
> certificate generation and network traces.
>
> Kenneth
>
>
>
> On Fri, Oct 25, 2019 at 7:00 PM Vladislav Vaintroub <vvaintroub@xxxxxxxxx>
> wrote:
>
>> Hi Kenneth,
>>
>>
>>
>> There have been some reports about this symptoms, but nothing that we
>> would be able to reproduce on any of our machines.
>>
>> So far I think the SSL handshake error that was seen was either
>> intermittent “Unknown SSL error (0x80090308)”, say one in couple of hundred
>> attempts. for which a workaround  is planned (
>> *https://jira.mariadb.org/browse/CONC-417*
>> <https://jira.mariadb.org/browse/CONC-417> and several others) . The
>> occasional handshake error seems to be schannels own bug, which we could
>> reproduce on some machines, and  IIRC could workaround by  disabling some
>> ciphers by fiddling in Schannel’s registry.
>>
>>
>>
>> The second one that I heard of, was a complaint by a user, that his
>> self-issued certificate works, and company-issued certificate does not,
>> failing always with Unknown SSL error (0x80090308) . Unfortunately that
>> user did not provide any detail on what he was seeing apart from this
>> cryptic description.
>>
>>
>>
>> The most reasonable thing you could do to help us to help you, is to use
>> that existing bug in JIRA to provide as much information as possible about
>> your case, I.e whether or notm the bug is sporadic, whether you’re trying
>> to force a specific cipher, details of certificate you’re using on server
>> side, and a network trace that you can collect e.g  with wireshark, or
>> tcpdump on either server or on client side.
>>
>>
>>
>> Now why the MySQL client does not fail, it is using the same SSL
>> implementation (openssl) on the both client and server side.
>>
>>
>>
>> *From: *Kenneth Penza <kpenza@xxxxxxxxx>
>> *Sent: *Friday, 25 October 2019 11:07
>> *To: *Mailing-List mariadb <maria-discuss@xxxxxxxxxxxxxxxxxxx>
>> *Subject: *[Maria-discuss] SSL issue with Windows MariaDB client
>>
>>
>>
>> Good morning,
>>
>>
>>
>> Whilst testing SSL of a MariaDB server version 10.4.8 running Linux from
>> a Windows 10 machine I noted that connection using MySQL client
>> (mysql-8.0.18-winx64) connects successfully, however connections with
>> MariaDB client (mariadb-10.4.8-winx64) fails.
>>
>>
>>
>> In case of MariaDB I have downloaded the file (
>> https://downloads.mariadb.org/interstitial/mariadb-10.4.8/winx64-packages/mariadb-10.4.8-winx64.zip/from/https%3A//mirror.serverion.com/mariadb
>> <https://downloads.mariadb.org/interstitial/mariadb-10.4.8/winx64-packages/mariadb-10.4.8-winx64.zip/from/https%3A/mirror.serverion.com/mariadb>),
>> whilst for MySQL client I used (
>> https://dev.mysql.com/downloads/file/?id=490026).
>>
>>
>>
>>
>>
>> C:\temp\mariadb-10.4.8-winx64>mysql --user=penzk001 --password
>> --host=<hostname> --port=3306 --tls-version=TLSv1.2
>> --ssl-ca=c:\temp\CACert.pem
>>
>> Enter password: ********
>> ERROR 2026 (HY000): Unknown SSL error (0x80090308)
>>
>> C:\temp\mariadb-10.4.8-winx64\bin> cd ..\mysql-8.0.18-winx64\bin
>>
>> C:\temp\mysql-8.0.18-winx64\bin>  mysql --user=penzk001 --password
>> --host=<hostname> --port=3306 --tls-version=TLSv1.2
>> --ssl-ca=c:\temp\CACert.pem
>>
>> Welcome to the MySQL monitor.  Commands end with ; or \g.
>>
>> ...
>>
>> mysql>\s
>>
>> ...
>>
>> SSL:                    Cipher in use is DHE-RSA-AES128-GCM-SHA256
>>
>> ...
>>
>> mysql>
>>
>>
>>
>> To ensure that the SSL certificate is valid I also tried
>> "--ssl-mode=VERIFY_IDENTITY" with the mysql-8.0.18 client and it worked
>> fine.
>>
>>
>>
>> Regards
>>
>> Kenneth
>>
>>
>>
>>
>>
>