mysql SSL regression with OpenSSL 1.0.1p

To: tech-pkg%netbsd.org@localhost
Subject: mysql SSL regression with OpenSSL 1.0.1p
From: manu%netbsd.org@localhost (Emmanuel Dreyfus)
Date: Tue, 14 Jul 2015 14:14:26 +0200

Hello

With recent OpenSSL upgrade, DH parameters below 1024 bits are now
refused. MySQL hardcodes 512 bits DH parameters and will therefore fail
to run SSL connexions with OpenSSL 1.0.1p

A possible workaround is to add ssl_cipher=AES256-SHA (or anything else
without DH) in [client] section of /usr/pkg/etc/my.cnf but that disables
DH ciphers.

Without disabling DH, a fix in required. It has been done upstream:
https://github.com/mysql/mysql-server/commit/866b988a76e8e7e217017a7883a
52a12ec5024b9

I backported this for mysql 5.6.x and committed the patches in:
pkgsrc/databases/mysql56-client/patches/patch-include_violite.h
pkgsrc/databases/mysql56-client/patches/patch-vio_viosslfactories.c

Anyone feel free to backport to earlier versions of MySQL


-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost

Follow-Ups:
- Re: mysql SSL regression with OpenSSL 1.0.1p
  - From: Joerg Sonnenberger

Prev by Date: Re: CVS commit: pkgsrc/security/gnupg2
Next by Date: Re: CVS commit: pkgsrc/security/gnupg2
Previous by Thread: wip/tme ready for review
Next by Thread: Re: mysql SSL regression with OpenSSL 1.0.1p
Indexes:

Home | Main Index | Thread Index | Old Index