I am getting this error when using this command:
ssldir=/home/inet/devel/config/mysql_ssl
mysql
-vvvvv
-u *****
-p
-h eos3
--ssl-ca $ssldir/cacert.pem
--ssl-cert $ssldir/server-cert.pem
--ssl-key $ssldir/server-key.pem
The eos3 server is on RHEL6, openssl-1.0.1e-fips MySQL 5.1.73
I have 3 other servers I am trying to make the connection from
- A) RHEL7 mariadb-5.5.68, openssl-1.0.2k-fips
- B) RHEL8 MySQL 8.0.26, openssl-1.1.1k FIPS
- C) RHEL9 mariadb-10.5.16, openssl-3.0.1
A and C have no problem connecting, B does, and if I try MySQL 8.0.30 on RHEL9 it also fails
I am really trying to solve an issue with PHP 8.0 not being able to make an SSL connection to eos3.
I have read a number of posts that say to try relaxing a setting in /etc/ssl/openssl.cnf
, but none of my servers have that file, it is in /etc/pki/tls
instead. Making this change there didn’t help.
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=1
The cipherlist returned by EOS3 when making a MySQL SSL connection is:
| Ssl_cipher_list | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:EC
DHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA
-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-S
HA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELL
IA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-G
CM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:EC
DH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:P
SK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDH
E-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-A
ES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA
256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA
:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES12
8-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES1
28- |
As far as I can tell my certificate and RSA keys are 2048 bit. Didn’t work when I had 1024 bit ones as the documentation says.
When I do get an SSL connection, the Ssl_version
is always TLSv1.2
, which I expect.
The Ssl Cipher is different between RHEL7 connection and the RHEL9 connection
DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384 respectively.
Why would MariaDB work, but not MySQL? I am hoping if I can get MySQL to work, then PHP would have a better chance of working. Using PEAR.php
, DB.php
and mysqli_d.php
within PHP.
2
Answers
Adding
TLS.MinProtocol = TLSv1
onRHEL9
to/etc/pki/tls/openssl.cnf
as shown below fixes the problem withMySQL 8.26/8.30
This doesn't help with
PHP
, only specifying a cipher list that doesn't include the DH/DHE ciphers tomysqli_set_ssl
fixed the issue.The error says, that your server is configured with a too small DH (Diffie-Hellman) key, which is considered unsecure by recent TLS libraries.
MySQL 5.1 uses a 512 bit DH key, MySQL 5.7 uses a 2048- bit key: (see this commit)
If you can’t upgrade your systems you could try the following: