CODEWITHSUNDEEP
mysqlssl
Bhushan Rane
Bhushan Rane

Reputation: 11

MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256

I'm using MySQL with SSL with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256. I have compiled MySQL with openssl. I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with error.

MySQL server version :- 5.6.23-log Source distribution
Custom OpenSSL version :- OpenSSL 1.0.1j 15 Oct 2014
Java version :- 1.8.0_40

Error thrown with TLS1.2 cipher connect 

> mysql -umysql --ssl-cipher=DHE-RSA-AES256-SHA256 -T -v

ERROR 2026 (HY000): SSL connection error: 
error:00000001:lib(0):func(0):reason(1)

User time 0.00, System time 0.00
Maximum resident set size 2664, Integral resident set size 0
Non-physical pagefaults 777, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 2, Involuntary context switches 5

Snippet of my.cnf 

[client]
default-character-set=utf8
ssl=ON
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/client-cert.pem
ssl-key=/home/mysql-cert/client-key.pem

[mysql]
default-character-set=utf8

[mysqld]
general_log=1

ssl-cipher=DHE-RSA-AES256-SHA256
ssl-cipher=AES256-SHA256
ssl-cipher=AES256-SHA
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/server-cert.pem
ssl-key=/home/mysql-cert/server-key.pem

MySQL prompt snipeet with TLS1.0 cipher connected 

   mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper

Connection id:          6
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.6.23-log Source distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /tmp/mysql.sock
Uptime:                 1 hour 32 min 40 sec

Threads: 1  Questions: 11  Slow queries: 0  Opens: 67  Flush tables: 1  
Open tables: 60  Queries per second avg: 0.001
--------------

mysql> SHOW STATUS LIKE 'ssl%';
+--------------------------------+--------------------------+
| Variable_name                  | Value                    |
+--------------------------------+--------------------------+
| Ssl_accept_renegotiates        | 0                        |
| Ssl_accepts                    | 6                        |
| Ssl_callback_cache_hits        | 0                        |
| Ssl_cipher                     | AES256-SHA               |
| Ssl_cipher_list                | AES256-SHA               |
| Ssl_client_connects            | 0                        |
| Ssl_connect_renegotiates       | 0                        |
| Ssl_ctx_verify_depth           | 18446744073709551615     |
| Ssl_ctx_verify_mode            | 5                        |
| Ssl_default_timeout            | 7200                     |
| Ssl_finished_accepts           | 3                        |
| Ssl_finished_connects          | 0                        |
| Ssl_server_not_after           | Jan 23 10:29:20 2025 GMT |
| Ssl_server_not_before          | Mar 17 10:29:20 2015 GMT |
| Ssl_session_cache_hits         | 0                        |
| Ssl_session_cache_misses       | 0                        |
| Ssl_session_cache_mode         | SERVER                   |
| Ssl_session_cache_overflows    | 0                        |
| Ssl_session_cache_size         | 128                      |
| Ssl_session_cache_timeouts     | 0                        |
| Ssl_sessions_reused            | 0                        |
| Ssl_used_session_cache_entries | 0                        |
| Ssl_verify_depth               | 18446744073709551615     |
| Ssl_verify_mode                | 5                        |
| Ssl_version                    | TLSv1                    |
+--------------------------------+--------------------------+
25 rows in set (0.00 sec)

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value                            |
+---------------+----------------------------------+
| have_openssl  | YES                              |
| have_ssl      | YES                              |
| ssl_ca        | /home/mysql-cert/ca.pem          |
| ssl_capath    |                                  |
| ssl_cert      | /home/mysql-cert/server-cert.pem |
| ssl_cipher    | AES256-SHA                       |
| ssl_crl       |                                  |
| ssl_crlpath   |                                  |
| ssl_key       | /home/mysql-cert/server-key.pem  |
+---------------+----------------------------------+
9 rows in set (0.00 sec)

MySQL compiled as 

     > cmake . -DCMAKE_PREFIX_PATH=/opt/scr-openssl/ssl/ 
-DWITH_SSL=/opt/scr-openssl/ssl/ 
-DWITH_OPENSSL=/opt/scr-openssl/ssl/bin/ 
-DWITH_OPENSSL_INCLUDES=/opt/scr-openssl/ssl/include/ 
-DWITH_OPENSSL_LIBS=/opt/scr-openssl/ssl/lib/ -DENABLE_DOWNLOADS=1
 >make
 >make install

Please help me out to configure MySQL to work with TLS1.2 cipher.

Upvotes: 1

Views: 2873

Answers (1)

Edwin Fine
Edwin Fine

Reputation: 601

MySQL v5.6.23 can only support TLS 1.0. To get support for TLS 1.2, you need to upgrade to a later MySQL version and ensure that both client and server have been compiled to use OpenSSL.

You might be able to use MySQL 5.6.46, according to the MySQL documentation.

When compiled using OpenSSL 1.0.1 or higher, MySQL supports the TLSv1, TLSv1.1, and TLSv1.2 protocols as of MySQL 5.6.46, and TLS1v1 prior to 5.6.46.

Upvotes: 1

Related Questions