Web lists-archives.com

Re: MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256





Am 17.03.2015 um 14:25 schrieb Bhushan Rane:
Thanks for instant reply.

As suggested I tried with ECDHE-RSA-AES128-GCM-SHA256 and
ECDHE-RSA-AES128-SHA but no luck.
Created new certs for EC - configured my.cnf with new certs

you *did not* really read my reply

> MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA
> (AES256 is supported but not more secure than AES128)
>
> * no ECHDE
> * no AES-GCM
> * no SHA256

====================
Below are commands used for cert creation :-

/opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_root.key -name
secp384r1 -genkey
echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nCAServer\n\n\n" |
/opt/scr-openssl/ssl/bin/openssl req -new -x509 -days 365 -key
ecc_ecdsa_root.key -out ecc_ecdsa_root.pem

/opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_ca.key -name
secp384r1 -genkey
echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLServer\n\n\n" |
/opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_ca.key -out
ecc_ecdsa_ca.csr
/opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile
x509_1.ext -days 365 -in ecc_ecdsa_ca.csr -CA ecc_ecdsa_root.pem -CAkey
ecc_ecdsa_root.key -out ecc_ecdsa_ca.pem -CAcreateserial

/opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_client.key -name
secp384r1 -genkey
echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLClient\n\n\n" |
/opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_client.key -out
ecc_ecdsa_client.csr
/opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile
x509_2.ext -days 365 -in ecc_ecdsa_client.csr -CA ecc_ecdsa_ca.pem
-CAkey ecc_ecdsa_ca.key -out ecc_ecdsa_client.pem -CAcreateserial
====================
mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 -T -v
Enter password:
ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)

User time 0.00, System time 0.00
Maximum resident set size 2728, Integral resident set size 0
Non-physical pagefaults 793, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 3, Involuntary context switches 3
mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-SHA -T -v
Enter password:
ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)

User time 0.00, System time 0.00
Maximum resident set size 2748, Integral resident set size 0
Non-physical pagefaults 798, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 4, Involuntary context switches 5
====================

Also, check openssl - used openssl supports EC ciphers listed above.

Am 17.03.2015 um 13:21 schrieb Bhushan Rane:
I have compiled MySQL with openssl, I am able to connect to MySQL over
SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers
connection fails with error

MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA
(AES256 is supported but not more secure than AES128)

* no ECHDE
* no AES-GCM
* no SHA256

no idea how they manage that because openssl has support
___________________________________

ssl-cipher=DHE-RSA-AES256-SHA256
ssl-cipher=AES256-SHA256

are not supported and don't make much sense anyways
___________________________________

the currently best ciphersuite would be the following because AES-GCM is
hardware optimized on recent machines (Intel AES) and GCM is *always*
better than a stupid CBC cipher

ECDHE-RSA-AES128-GCM-SHA256

Attachment: signature.asc
Description: OpenPGP digital signature