Web lists-archives.com

Re: Re: MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256




Thanks for instant reply.

As suggested I tried with ECDHE-RSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-SHA but no luck.
Created new certs for EC - configured my.cnf with new certs.
====================
Below are commands used for cert creation :-

/opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_root.key -name secp384r1 -genkey
echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nCAServer\n\n\n" | /opt/scr-openssl/ssl/bin/openssl req -new -x509 -days 365 -key ecc_ecdsa_root.key -out ecc_ecdsa_root.pem

/opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_ca.key -name secp384r1 -genkey
echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLServer\n\n\n" | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_ca.key -out ecc_ecdsa_ca.csr
/opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_1.ext -days 365 -in ecc_ecdsa_ca.csr -CA ecc_ecdsa_root.pem -CAkey ecc_ecdsa_root.key -out ecc_ecdsa_ca.pem -CAcreateserial

/opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_client.key -name secp384r1 -genkey
echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLClient\n\n\n" | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_client.key -out ecc_ecdsa_client.csr
/opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_2.ext -days 365 -in ecc_ecdsa_client.csr -CA ecc_ecdsa_ca.pem -CAkey ecc_ecdsa_ca.key -out ecc_ecdsa_client.pem -CAcreateserial
====================
mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 -T -v
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
User time 0.00, System time 0.00
Maximum resident set size 2728, Integral resident set size 0
Non-physical pagefaults 793, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 3, Involuntary context switches 3
mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-SHA -T -v
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
User time 0.00, System time 0.00
Maximum resident set size 2748, Integral resident set size 0
Non-physical pagefaults 798, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 4, Involuntary context switches 5
====================

Also, check openssl - used openssl supports EC ciphers listed above.
Am 17.03.2015 um 13:21 schrieb Bhushan Rane:
I have compiled MySQL with openssl, I am able to connect to MySQL over
SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers
connection fails with error

MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA
(AES256 is supported but not more secure than AES128)

* no ECHDE
* no AES-GCM
* no SHA256

no idea how they manage that because openssl has support
___________________________________

ssl-cipher=DHE-RSA-AES256-SHA256
ssl-cipher=AES256-SHA256

are not supported and don't make much sense anyways
___________________________________

the currently best ciphersuite would be the following because AES-GCM is
hardware optimized on recent machines (Intel AES) and GCM is *always*
better than a stupid CBC cipher

ECDHE-RSA-AES128-GCM-SHA256



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql