Question 20412 in Mysql Question posted in
The official MySQL documentation can be found here.

ERROR 2026 (HY000): SSL connection error: error:141A318A:SSL routines:tls_proces s_ske_dhe:dh key too small – Mysql

I am getting this error when using this command:

ssldir=/home/inet/devel/config/mysql_ssl

mysql 
        -vvvvv 
        -u ***** 
        -p 
        -h eos3 
        --ssl-ca $ssldir/cacert.pem 
        --ssl-cert $ssldir/server-cert.pem 
        --ssl-key $ssldir/server-key.pem

The eos3 server is on RHEL6, openssl-1.0.1e-fips MySQL 5.1.73

I have 3 other servers I am trying to make the connection from

  • A) RHEL7 mariadb-5.5.68, openssl-1.0.2k-fips
  • B) RHEL8 MySQL 8.0.26, openssl-1.1.1k FIPS
  • C) RHEL9 mariadb-10.5.16, openssl-3.0.1

A and C have no problem connecting, B does, and if I try MySQL 8.0.30 on RHEL9 it also fails

I am really trying to solve an issue with PHP 8.0 not being able to make an SSL connection to eos3.

I have read a number of posts that say to try relaxing a setting in /etc/ssl/openssl.cnf, but none of my servers have that file, it is in /etc/pki/tls instead. Making this change there didn’t help.

MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=1

The cipherlist returned by EOS3 when making a MySQL SSL connection is:

| Ssl_cipher_list | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:EC
DHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA
-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-S
HA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELL
IA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-G
CM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:EC
DH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:P
SK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDH
E-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-A
ES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA
256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA
:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES12
8-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES1
28- |

As far as I can tell my certificate and RSA keys are 2048 bit. Didn’t work when I had 1024 bit ones as the documentation says.

When I do get an SSL connection, the Ssl_version is always TLSv1.2, which I expect.
The Ssl Cipher is different between RHEL7 connection and the RHEL9 connection

DHE-RSA-AES256-GCM-SHA384   AES256-GCM-SHA384  respectively.

Why would MariaDB work, but not MySQL? I am hoping if I can get MySQL to work, then PHP would have a better chance of working. Using PEAR.php, DB.php and mysqli_d.php within PHP.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Adding TLS.MinProtocol = TLSv1 on RHEL9 to /etc/pki/tls/openssl.cnf as shown below fixes the problem with MySQL 8.26/8.30

    [ crypto_policy ]
.include = /etc/crypto-policies/back-ends/opensslcnf.config

# allow mysql command line (et al) to talk to older servers
TLS.MinProtocol = TLSv1

    This doesn't help with PHP, only specifying a cipher list that doesn't include the DH/DHE ciphers to mysqli_set_ssl fixed the issue.


  2. 0

    The error says, that your server is configured with a too small DH (Diffie-Hellman) key, which is considered unsecure by recent TLS libraries.

    MySQL 5.1 uses a 512 bit DH key, MySQL 5.7 uses a 2048- bit key: (see this commit)

    If you can’t upgrade your systems you could try the following:

    1. Patch viosslfactories.c and recompile MySQL 5.1
    2. Try to specify a cipher suite which doesn’t need DH: e.g. AES256-SHA256
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search