Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-906

LP #1462856: Newest RHEL/CentOS openssl update breaks mysql DHE



      **Reported in Launchpad by Jacques Grove last update 20-07-2015 20:33:33

      This is a problem in upstream as well, I am pretty sure:

      The newest RHEL/CentOS/SL 6.6 openssl package (1.0.1e-30.el6_6.9 ; published around 6/4/2015) contains a fix for CVE-2015-4000 . RedHat's fix for this was to limit the use of any SSL DH key sizes to a minimum of 768 bits. This breaks any DHE SSL ciphers for MySQL clients as soon as you install the openssl update, since in vio/viosslfactories.c , the default DHPARAM is a 512 bit one. As far as I can tell this cannot be changed in configuration/runtime; and needs a recompile.

      We should probably include and/or upstream this patch:



      If a user in a Percona 5.6.23-72.1-log server is setup with grant "require SSL", and the client (using the updated openssl package) executes:

      1. mysql -u user -h serverhostname --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p
        Enter password:
        ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

      This will occur for any DHE cipher. Using a non-DHE cipher will work as expected.


      • Downgrade the client openssl package to any version before 1.0.1e-30.el6_6.9; e.g. 0:1.0.1e-30.el6_6.8
      • Alternatively, do not use DH ciphers. This is not acceptable because the supported non-DH ciphers do not afford any PFS protection.

      Solution is for the server to present a 1024 bit DH param. This would:

      • Avoid the problem with "fixed" client libraries.
      • Still be small enough to avoid problems with some clients (e.g. older Java versions do not like DH params > 1024 bit)
      • Improve security in general.




            Unassigned Unassigned
            lpjirasync lpjirasync (Inactive)
            0 Vote for this issue
            1 Start watching this issue



              Smart Checklist