Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-906

LP #1462856: Newest RHEL/CentOS openssl update breaks mysql DHE

    XMLWordPrintable

    Details

      Description

      **Reported in Launchpad by Jacques Grove last update 20-07-2015 20:33:33

      This is a problem in upstream as well, I am pretty sure:

      The newest RHEL/CentOS/SL 6.6 openssl package (1.0.1e-30.el6_6.9 ; published around 6/4/2015) contains a fix for CVE-2015-4000 . RedHat's fix for this was to limit the use of any SSL DH key sizes to a minimum of 768 bits. This breaks any DHE SSL ciphers for MySQL clients as soon as you install the openssl update, since in vio/viosslfactories.c , the default DHPARAM is a 512 bit one. As far as I can tell this cannot be changed in configuration/runtime; and needs a recompile.

      We should probably include and/or upstream this patch:

      https://lists.fedoraproject.org/pipermail/scm-commits/2012-December/910767.html

      Example:

      If a user in a Percona 5.6.23-72.1-log server is setup with grant "require SSL", and the client (using the updated openssl package) executes:

      1. mysql -u user -h serverhostname --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p
        Enter password:
        ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

      This will occur for any DHE cipher. Using a non-DHE cipher will work as expected.

      Workaround:

      • Downgrade the client openssl package to any version before 1.0.1e-30.el6_6.9; e.g. 0:1.0.1e-30.el6_6.8
      • Alternatively, do not use DH ciphers. This is not acceptable because the supported non-DH ciphers do not afford any PFS protection.

      Solution is for the server to present a 1024 bit DH param. This would:

      • Avoid the problem with "fixed" client libraries.
      • Still be small enough to avoid problems with some clients (e.g. older Java versions do not like DH params > 1024 bit)
      • Improve security in general.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            lpjirasync lpjirasync (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Smart Checklist