The Ultimate Guide to High Availability with MariaDB

MariaDB 10.4.13 and ECDHE cipher suites

You are viewing an old version of this question. View the current version here.

Hello,

Does MariaDB actually implement ECDHE cipher suites or not ?

After several tests with clients supporting ECDHE ciphers and offering them during the "client hello", in "server hello" the chosen cipher never is ECDHE.

:(none)> SHOW GLOBAL VARIABLES LIKE 'have_openssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+
1 row in set (0.001 sec)

:(none)> SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';
+---------------------+----------------------------------+
| Variable_name       | Value                            |
+---------------------+----------------------------------+
| version_ssl_library | OpenSSL 1.0.2k-fips  26 Jan 2017 |
+---------------------+----------------------------------+
1 row in set (0.001 sec)

~]# ldd /opt/mysql/na/10.4.13/sbin/mysqld | grep libcrypto
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f5024bfc000)

In my.cnf 

...
ssl_cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!aECDH:!RC4
...

So, could you please confirm if it is possible to negociate ECDHE ciphers with a MariaDB Server ?

Did I miss something ?

Thanks a lot.

Michel

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.