Bug 1232207
Summary: | openssl update breaks mysql ssl | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jan Kurik <jkurik> |
Component: | mysql | Assignee: | Jakub Dorňák <jdornak> |
Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.7 | CC: | byte, databases-maint, dukrat, erinn.looneytriggs, hhorak, hkario, howey.vernon, huzaifas, it, jdornak, jherrman, jkurik, ksrot, mdshaikh, ovasik, psklenar, rwilliam, thoger, tlavigne, tmraz, yuhongbao_386 |
Target Milestone: | rc | Keywords: | Regression, ZStream |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
With certain versions of OpenSSL, using SSL to log into a MySQL client as root previously failed with a "ERROR 2026 (HY000): SSL connection error" message. This update increases the Diffie-Hellman (DH) key length in MySQL from 512 to 1024 bits, which meets the DH key length requirements for these OpenSSL versions. As a result, SSL can be used as expected in the described scenario.
|
Story Points: | --- |
Clone Of: | 1228755 | Environment: | |
Last Closed: | 2015-06-22 11:14:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1228755, 1231960, 1272091 | ||
Bug Blocks: |
Description
Jan Kurik
2015-06-16 09:45:38 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-1129.html Why is this a RHBA and not a RHSA? Especially as the 512-bit DH group is hardcoded making it trivial to break each connection once the initial work is done. (In reply to Yuhong Bao from comment #12) > Why is this a RHBA and not a RHSA? Hi, CVE-2015-4000 (aka Logjam) was assigned by MITRE specifically as a TLS weakness which can lead to the use of export grade ciphers. No other CVEs were assigned. The 512-bit issue can be considered a weakness, that could be exploited only if the prime we shipped was broken. Nevertheless, this issue is not covered under CVE-2015-4000. Since no CVE was assigned for this specific issue, we released the advisory as an RHBA. (In reply to Martin Prpic from comment #14) > (In reply to Yuhong Bao from comment #12) > > Why is this a RHBA and not a RHSA? > > Hi, CVE-2015-4000 (aka Logjam) was assigned by MITRE specifically as a TLS > weakness which can lead to the use of export grade ciphers. No other CVEs > were assigned. The 512-bit issue can be considered a weakness, that could be > exploited only if the prime we shipped was broken. Nevertheless, this issue > is not covered under CVE-2015-4000. Since no CVE was assigned for this > specific issue, we released the advisory as an RHBA. To further elaborate. Though 512 bit primes are known as unsafe and can be broken (with computation), this isnt really a vuln. but more of a security hardening. (In reply to Huzaifa S. Sidhpurwala from comment #15) > (In reply to Martin Prpic from comment #14) > > (In reply to Yuhong Bao from comment #12) > > > Why is this a RHBA and not a RHSA? > > > > Hi, CVE-2015-4000 (aka Logjam) was assigned by MITRE specifically as a TLS > > weakness which can lead to the use of export grade ciphers. No other CVEs > > were assigned. The 512-bit issue can be considered a weakness, that could be > > exploited only if the prime we shipped was broken. Nevertheless, this issue > > is not covered under CVE-2015-4000. Since no CVE was assigned for this > > specific issue, we released the advisory as an RHBA. > > To further elaborate. Though 512 bit primes are known as unsafe and can be > broken (with computation), this isnt really a vuln. but more of a security > hardening. The 512-bit prime has to be broken only once, then it takes much less computation to break individual connections and reveal the encryption keys. |