I have a mariadb server running on debian.
(version: 10.3.34-MariaDB-0+deb10u1-log Debian 10)
I have used the package from the repository, so it was compiled with YaSSL (version 2.4.4).
Therefore the newest SSL version of the server is TLS1.1.
On the client I use Ubuntu 22.04 (5.15.0-52-generic).
The mariadb client seems to use the locally installed openssl (3.0.2 15 Mar 2022)
When I try to connect to the mariadb-server
with this command:
mysql –tls-version=TLSv1.1 -v -v -v
–ssl-cert="/home/leon/certs/client-cert.pem" –ssl-key="/home/leon/certs/client-key.pem" -umyuser -hmaria.example.de -p
I get this error:
ERROR 2026 (HY000): SSL connection error: no protocols available
Ok, it seems, I have to manually activate TLSv1.1 in the client.
So I created an extra cnf-file with these lines:
openssl_conf = default_conf
[default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.1 CipherString =
DEFAULT@SECLEVEL=1
And then activated it with:
export OPENSSL_CONF=/etc/ssl/unsafe.cnf
When I try to connect again I get this error:
ERROR 2026 (HY000): SSL connection error: unsafe legacy renegotiation disabled
Ok, I need to activate the unsafe legacy renegotiation.
So I have added the following line to the [system_default_sect] in the cnf-file:
Options = UnsafeLegacyRenegotiation
But when I try to connect again, I get this error:
ERROR 2026 (HY000): SSL connection error: internal error
Is there something wrong in the cnf-file?
Or is it not possible to activate "UnsafeLegacyRenegotiation" and "TLSv1.1" at the same time?
Thank you for any help or hints!
EDIT: Added the output of this command:
openssl s_client -tls1_1 –starttls mysql python.fairtragen.de:3306
CONNECTED(00000003)
depth=0 CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = [email protected], C = DE
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = [email protected], C = DE
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = [email protected], C = DE
verify return:1
40F70087447F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:../ssl/statem/statem_clnt.c:2248:
---
Certificate chain
0 s:CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = [email protected], C = DE
i:C = DE, ST = Some-State, O = fairtragen GmbH, CN = fairCA, emailAddress = [email protected]
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 20 00:00:00 2021 GMT; NotAfter: Apr 20 00:00:00 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdDCCAlwCAQAwDQYJKoZIhvcNAQELBQAwczELMAkGA1UEBhMCREUxEzARBgNV
BAgMClNvbWUtU3RhdGUxGDAWBgNVBAoMD2ZhaXJ0cmFnZW4gR21iSDEPMA0GA1UE
AwwGZmFpckNBMSQwIgYJKoZIhvcNAQkBFhVmZWxsb3dzQGZhaXJ0cmFnZW4uZGUw
IhgPMjAyMTA0MjAwMDAwMDBaGA8yMDMxMDQyMDAwMDAwMFowgYgxHTAbBgNVBAMM
FHB5dGhvbi5mYWlydHJhZ2VuLmRlMQ8wDQYDVQQHDAZCcmVtZW4xGDAWBgNVBAoM
D2ZhaXJ0cmFnZW4gR21iSDEKMAgGA1UECwwBIDEjMCEGCSqGSIb3DQEJARYUcHl0
aG9uQGZhaXJ0cmFnZW4uZGUxCzAJBgNVBAYTAkRFMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtvTsn5+GCuhFztfyzLG8T3YQNf3/jmMIP/rZKCTC6D+K
neKeXBUBkWyPT7398h8lJtfZhfK6TRPR4VmrCnxYuWJL2LdwSACcRcyA0rRgE9SC
8Y7LJulcyetl/JjQAXY6/wFdMcEHRqlCzyTEqumsJsImcE2hHbnNIHd9OukmB8Qq
oS1/e6fKQTjvR90huIyRhHtCMFYiAglCMbmPRuFflzFZ6cULdL0Se7oiLIbsdamV
oFUXk3crcZP3EAR0UMqZ/hQN8vTphDHOngOuss/ORBo0ezxTOXC2Gpmz5RmJKWbN
Ch5tUgIgPEK/cdiz7LnA/CbDXKsWlnEfhoVfL00shwIDAQABMA0GCSqGSIb3DQEB
CwUAA4ICAQAJtzQxuGNHlS5LYJkx2CTJTm44PmbuKOfuR8qwjAnsfDHuevADjwCf
aeH9D5pxpdYFdH8Ll9RzynxTAIHQQLcBzIrTCbouQwOZqpNXszbJhrKjEJ+yOJjM
+LnYfnQRttC6G7gjTHIOixLwOeaRuMCwaZXCYitwPR+6PCfQG+4AFZlOvNIOQDlD
arDJJoAXgE0RH+YlVfyNcSZUMaxOJYK4awN8/5lCLsCk8CZ2/mfOz9DdCKirou5U
Z+Sbu4zPLF49F1xXVK7+omdys57dCXto6ykWahXtrMH/A4JjIsf4GBv2s/im9PTK
9tXPBjk6VT6ZsSCBHa62hzvTiZMzRRBLNlPMldbQerO6/Q/18DueoYT1+e6/Aw3k
/nXgnB7Ztjbemuj1D22MNSHyclRt5ifUskGGLc0nl54rJQCnhTdZW6UwDyCpSDU8
n82Omclgfndyt71I3ecxsCduhHjd+5Nn7e2sIyttPhHLeP6hTbjgDwgSAeHjrjD+
VeKBoahnyXqhWMNQPhkgqPQH6VEQjAaB7NwewfiNziWy3Nd+ThgHJFNP9vHYyeju
2IaE+JBegGgxus0/IQeFTkGuZat7cEMoHE9TQEeGJ6fpqTyeEuqVG/ulAm5qT6zy
ZGOI/RjKGo68AqISogpA2vcWel/h//qyYDQ/683MtPDwef2uKbcH6g==
-----END CERTIFICATE-----
subject=CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = [email protected], C = DE
issuer=C = DE, ST = Some-State, O = fairtragen GmbH, CN = fairCA, emailAddress = [email protected]
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2131 bytes and written 176 bytes
Verification error: unable to verify the first certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID: E81DDD60800D1F4505F5A5D0A273E776EAEDDAF205BD2195092D7132EAAC0F53
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1666861958
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
2
Answers
I have found this solution for me:
On the client:
compile openssl 1.1.1 from source
and install to /usr/local
compile mariadb 10.9 from source with specifying the above openssl version
and install to /usr/local
When I run this command, the client connects to the server!
what did not work:
OpenSSL 3.0 requires renegotiation support from the other side which is not supported by Yassl.
After adding
to a temporary openssl.cnf file, the renegotiation error disappeared, however OpenSSL 3.0 client raises an alert "Internal Error (80)" and terminates the connection after handshake.
I filed an issue in MariaDB Bug system. Since we already replaced Yassl by WolfSSL in recent server versions, it will likely not be fixed.
As a work around I would suggest: