Bug 1287048 - MySQL is limited to using security protocols from last century
MySQL is limited to using security protocols from last century
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mysql (Show other bugs)
6.7
All All
high Severity high
: pre-dev-freeze
: 6.8
Assigned To: Jakub Dorňák
Karel Volný
:
Depends On:
Blocks: 1057564 1253743 1310222
  Show dependency treegraph
 
Reported: 2015-12-01 06:51 EST by Hubert Kario
Modified: 2016-05-10 21:34 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-10 21:34:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch from upstream bug which is not yet accepted in 5.6 and lower (1.79 KB, patch)
2015-12-09 13:43 EST, Honza Horak
no flags Details | Diff
Program to test SSL/TLS versions supported by MySQL/MariaDB server (3.66 KB, text/plain)
2016-01-07 07:24 EST, Tomas Hoger
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 1287053 None CLOSED PostgreSQL is limited to using obsoleted security protocols 2018-05-21 05:16 EDT

  None (edit)
Description Hubert Kario 2015-12-01 06:51:24 EST
Description of problem:
As described on https://access.redhat.com/articles/1471513 and https://access.redhat.com/articles/1472623 mysql clients and servers cannot be made to negotiate protocol versions higher than TLSv1.0.

This protocol version has had multiple weaknesses discovered since it was published last century. Both the general recommendation[1] and our own[2] is that implementations SHOULD NOT negotiate TLS version 1.0.

Version-Release number of selected component (if applicable):
5.1.73-5.el6_6

How reproducible:
always

Steps to Reproduce:
1. Try to enable support for TLS v1.2

Actual results:
No setting available

Expected results:
TLS v1.2 available by default and negotiated if supported by both sides.

Additional info:
 1 - https://tools.ietf.org/html/bcp195#section-3.1
 2 - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Choosing_Algorithms_to_Enable
Comment 1 Honza Horak 2015-12-02 04:46:35 EST
Jakub, how is it in mysql/mariadb 5.5 and 5.6/10.0 that we have shipped in Red Hat Software Collections?
Comment 2 Honza Horak 2015-12-09 13:33:07 EST
There is a related discussion in PostgreSQL bug #1287053.
Also, there is already upstream bug, which is not resolved yet: https://bugs.mysql.com/bug.php?id=75239
Btw. it says MySQL 5.7 supports TLS 1.1 and 1.2.
Comment 3 Honza Horak 2015-12-09 13:43 EST
Created attachment 1104085 [details]
Proposed patch from upstream bug which is not yet accepted in 5.6 and lower

In the bug https://bugs.mysql.com/bug.php?id=75239 there is also a proposed patch, so just attaching it here. However, since it is not back-ported to older, but still supported versions 5.5 and 5.6, I'm not much willing to back-port to 5.1 either.
Comment 4 Honza Horak 2015-12-09 13:46:14 EST
5.7 also added tls_version variable:
https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_tls_version
Comment 5 Honza Horak 2015-12-11 04:09:27 EST
There is a blog about TLS support in MySQL 5.7:
http://mysqlblog.fivefarmers.com/2015/12/10/ssltls-improvements-in-mysql-5-7-10/

Also, based on:
https://mariadb.atlassian.net/browse/MDEV-6975

..which resulted in commit:
http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4365

..we can see that MariaDB supports TLS 1.2 since 5.5, so the recommendation for customers who require TLS 1.2 is to use MariaDB from Red Hat Software Collections.
Comment 6 Honza Horak 2015-12-14 02:03:55 EST
This is a full patch that came to 5.7:
https://github.com/mysql/mysql-server/commit/ef4fcf760a2d3b098a475323e289a6cab57020ab
Comment 7 Tomas Hoger 2016-01-07 06:28:25 EST
(In reply to Honza Horak from comment #5)
> Also, based on:
> https://mariadb.atlassian.net/browse/MDEV-6975
> 
> ..which resulted in commit:
> http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4365
> 
> ..we can see that MariaDB supports TLS 1.2 since 5.5,

Note that as discussed in MDEV-6975, rev 4369 should also be included if backporting the above change to ensure that SSLv3 and SSLv2 are not also enabled by the change.

http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4369
Comment 8 Tomas Hoger 2016-01-07 07:22:47 EST
(In reply to Tomas Hoger from comment #7)
> http://bazaar.launchpad.net/~maria-captains/maria/5.5/revision/4369

This change was later replaced by an equivalent change merged from MySQL:

https://github.com/MariaDB/server/commit/fe4c4ab914d82af1a1cb2e1bca78c8dcfbc57d4d

(In reply to Honza Horak from comment #1)
> Jakub, how is it in mysql/mariadb 5.5 and 5.6/10.0 that we have shipped in
> Red Hat Software Collections?

The current RHSCL versions:

- mariadb 5.5.44 and 10.0.20 - include fixes from comment 5, comment 6, and comment 7, so enables the highest protocol version supported by the underlying OpenSSL

- mysql 5.5.45 and 5.6.26 - only include the above commit fe4c4ab9, but still use TLSv1_*_method.  Hence TLS 1.0 is the only version enabled, and the fe4c4ab9 change is redundant.

MDEV-6975 includes a testing program that should allow checking which protocol versions are supported by a MySQL / MariaDB server:

https://mariadb.atlassian.net/secure/attachment/36210/mysql-tls-ver-test.c
Comment 9 Tomas Hoger 2016-01-07 07:24 EST
Created attachment 1112434 [details]
Program to test SSL/TLS versions supported by MySQL/MariaDB server

(Local copy of the https://mariadb.atlassian.net/secure/attachment/36210/mysql-tls-ver-test.c )
Comment 10 Tomas Hoger 2016-01-07 07:26:48 EST
(In reply to Tomas Hoger from comment #8)
> - mariadb 5.5.44 and 10.0.20 - include fixes from comment 5, comment 6, and
> comment 7, so enables the highest protocol version supported by the
> underlying OpenSSL

Correction: the above should say comment 5 (rev 4365), comment 7 (rev 4369) and comment 8 (git fe4c4ab9).
Comment 23 errata-xmlrpc 2016-05-10 21:34:25 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0979.html

Note You need to log in before you can comment on or make changes to this bug.