percona56-server with TLSv1.2

[bibi]

Hello,

I have tried installing percona56-server from the ports with the OpenSSL option checked ( as it is by default ) and I have completed the SSL setup and get everything to work properly except that I am stuck with TLSv1.

mysql> \s;
--------------
mysql  Ver 14.14 Distrib 5.6.33-79.0 Percona, for FreeBSD11.0 (amd64) using  EditLine wrapper

Connection id:          1
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is AES256-SHA

mysql> show variables like "%tls%";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_tlsv1_2  | NO    |
| tls_version   | TLSv1 |
+---------------+-------+

I tried forcing in my my.cnf the TLS version to tls_version=TLSv1.2 but then I get a warning message in the log file:

2017-01-04 13:09:17 30167 [Warning] Failed to setup SSL
2017-01-04 13:09:17 30167 [Warning] SSL error: NUL

and then SSL is disabled when I connect to the server.

Current user:           root@localhost
SSL:                    Not in use

Any idea how to get TLSv1.2 working?
Thanks

 

[SirDice]

You need to build it using the OpenSSL port instead of the base OpenSSL.

Add to /etc/make.conf:

DEFAULT_VERSIONS+= ssl=openssl

 

[bibi]

Hello, yes sorry forgot to mention that part, i already have this in my /etc/make.conf

 

[SirDice]

Can you post the output from pkg info -d percona56-server?

 

[bibi]

db /root >pkg info -d percona56-server
percona56-server-5.6.33.79.0:
        indexinfo-0.2.6
        perl5-5.24.1.r4_1
        percona56-client-5.6.33.79.0

and the Makefile in the ports tree has the following lines with SSL:

OPTIONS_DEFINE= OPENSSL FASTMTX INNODBMEMCACHED TOKUDB
OPTIONS_DEFAULT=        OPENSSL INNODBMEMCACHED
OPENSSL_CMAKE_ON=       -DWITH_SSL=bundled

 

[SirDice]

Odd, if I read this correctly TLSv1.0 should be disabled by default.

https://www.percona.com/doc/percona-server/5.6/flexibility/extended_tls_support.html

 

[bibi]

yes exactly came accross that too on the percona website, really weird to me

 

[SirDice]

Try not setting any TLS related settings (like the aforementioned tls_version) and let it figure it out automatically. Perhaps setting some specific options actually makes it fall-back to TLSv1.

 

[bibi]

I have removed all ssl settings from my my.cnf, i.e. ssl-cipher / tls_version. The only SSL settings that I have are:

ssl-ca=/usr/local/etc/mysql/ca-cert.pem
ssl-cert=/usr/local/etc/mysql/server-cert.pem
ssl-key=/usr/local/etc/mysql/server-key.pem

and here's what i get:

mysql> \s;
--------------
mysql  Ver 14.14 Distrib 5.6.33-79.0 Percona, for FreeBSD11.0 (amd64) using  EditLine wrapper
Connection id:          1
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA

and

mysql> show variables like "%tls%";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_tlsv1_2  | NO    |
| tls_version   | TLSv1 |
+---------------+-------+

so basically apart from the ciphers that have changed still facing the same issue

 

[bibi]

I have changed the /usr/ports/databases/percona56-server/Makefile with the following:

OPENSSL_CMAKE_ON=       -DWITH_SSL=yes

Now I am having the proper settings for the server:

mysql> SHOW GLOBAL VARIABLES LIKE '%tls%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_tlsv1_2  | YES             |
| tls_version   | TLSv1.1,TLSv1.2 |
+---------------+-----------------+
2 rows in set (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE '%ssl%';
+---------------+--------------------------------------+
| Variable_name | Value                                |
+---------------+--------------------------------------+
| have_openssl  | YES                                  |
| have_ssl      | YES                                  |
| ssl_ca        | /usr/local/etc/mysql/ca-cert.pem     |
| ssl_capath    |                                      |
| ssl_cert      | /usr/local/etc/mysql/server-cert.pem |
| ssl_cipher    |                                      |
| ssl_crl       |                                      |
| ssl_crlpath   |                                      |
| ssl_key       | /usr/local/etc/mysql/server-key.pem  |
+---------------+--------------------------------------+
9 rows in set (0.00 sec)

So it seems fine from the server side...but now the client part is posing problems when i want to use SSL to connect:

db /root > mysql -u root -pt0t0 --ssl-cert=/usr/local/etc/mysql/client-cert.pem --ssl-key=/usr/local/etc/mysql/client-key.pem
Warning: Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

 

[SirDice]

I'm betting you need to use the same "trick" for the client. I would also suggest creating a PR for it, so the maintainer can fix the port.

 

[bibi]

Unfortunately the same trick for the client doesn't seem to work. Added the same argument in /usr/ports/databases/percona56-client/Makefile. Still getting the same issue.

I have installed on another FreeBSD-11 server /usr/ports/databases/mysql57-client/ then generated client certificates and tried to connect to the Percona 5.6 on the other machine, it works well:


mysql> \s
--------------
mysql Ver 14.14 Distrib 5.7.15, for FreeBSD11.0 (amd64) using EditLine wrapper
...
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
...
Server version: 5.6.33-79.0 Source distribution



mysql> show status like 'ssl_version';
+---------------+---------+
| Variable_name | Value |
+---------------+---------+
| Ssl_version | TLSv1.2 |
+---------------+---------+
1 row in set (0.00 sec)


Will create a PR anyhow. Thanks for your help!