LP #1622034: Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported

**Reported in Launchpad by Sveta Smirnova last update 20-09-2016 09:02:04

Description:
Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in the list of supported ciphers at https://dev.mysql.com/doc/refman/5.7/en/secure-connection-protocols-ciphers.html, but practically it is not supported.

How to repeat:
Download 5.7.15, start it with SSL support. Try to connect using ECDHE-RSA-AES128-GCM-SHA256.

Suggested fix:
Support ECDHE-RSA-AES128-GCM-SHA256.

Customer provided a patch which fixes the issue:

-bash-4.1$ cat patches/viossl.patch
— percona-server-5.6.31-77.0/vio/viosslfactories.c.orig 2016-07-26 02:51:18.881251868 +0000
+++ percona-server-5.6.31-77.0/vio/viosslfactories.c 2016-07-26 18:30:45.016767477 +0000
@@ -329,6 +329,7 @@
const long ssl_ctx_flags)
{
DH *dh;
+ EC_KEY *ecdh;
struct st_VioSSLFd *ssl_fd;
long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
int ret_set_cipherlist= 0;
@@ -498,6 +499,18 @@
}
DH_free(dh);

+ /* ECDH stuff */
+ ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+ if (! ecdh)
+

{ + DBUG_PRINT("error", ("ECDH key fail")); + }

+ if (1 != SSL_CTX_set_tmp_ecdh (ssl_fd->ssl_context, ecdh))
+

{ + DBUG_PRINT("error", ("ECDH set fail")); + }

+ EC_KEY_free (ecdh);
+
DBUG_PRINT("exit", ("OK 1"));

DBUG_RETURN(ssl_fd);