Ubuntu
mariadb-10.3 package

Ubuntu 20.04 requires TLSv1.2 while MariaDB 10.3/YaSSL only supports max TLSv1.1

Bug #1885632 reported by Harry Coin
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mariadb-10.3 (Ubuntu)
Won't Fix
Medium
Otto Kekäläinen
mariadb-10.5 (Ubuntu)
Fix Released
Undecided
Otto Kekäläinen

Bug Description

Mariadb 10.3 as provided by Ubuntu and shipped in LTS is compiled against YaSSL version 2.4.4, which supports a maximum tls version of 1.1 as I understand it. See: https://ubuntuforums.org/showthread.php?t=2420831

Focal minimum tls requirement is higher, tls v1.2 as discussed here: https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/3

As a result, all attempts to use ssl that worked pre-focal now hit a hard failure with such as:

ERROR 2026 (HY000): SSL connection error: The TLS connection was non-properly terminated.

and via libraries:

Unable to open database: SSL connection error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Upstream offers a focal repository, so hopefully this won't be a hard one to merge into standard Ubuntu, since basically without some fix SSL/TLS via mariadb is broken entirely on an LTS version -- and that for 5 years, as they say, needs a close look. I suspect there are other compatibility issues preventing it, but as 'upgrading to focal' killed several web servers -- some sort of pragmatic work-around needs doing.

Until then:

sudo apt-get install software-properties-common
sudo apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] http://ftp.utexas.edu/mariadb/repo/10.5/ubuntu focal main'

Hope this helps someone...

Revision history for this message
Otto Kekäläinen (otto) wrote :

Hello!

If this issue is still relevant, and you have a suggestion how to fix
it, please file a Merge Request on Salsa as a proposal. Thanks!

https://wiki.debian.org/Teams/MySQL/patches

Revision history for this message
Otto Kekäläinen (otto) wrote :

Alternatively you could seek out for commercial support at https://mariadb.com/services/technical-support-services/ since Canonical does not offer support for MariaDB.

summary: - Focal requires tls > mariadb rev has. ssl dead, websites down on
- upgrade
+ Focal requires tls > mariadb rev
Revision history for this message
Harry Coin (hcoin) wrote : Re: Focal requires tls > mariadb rev

Thanks Otto.

It would be an appreciated add-on to the bug reporting system if your firm would add a little alert when it accepts a bug submission to a package that's not in the 'main' repository so we users get a gentle reminder we ought not expect help of the sort the 'main' packages get.

Revision history for this message
Otto Kekäläinen (otto) wrote :

Harry: I am not currently involved in any company providing paid support for any package. If you need paid support, please reach out the the mentioned companies.

Changed in mariadb-10.3 (Ubuntu):
assignee: nobody → Otto Kekäläinen (otto)
importance: Undecided → Medium
Revision history for this message
Harry Coin (hcoin) wrote :

Otto, thanks for the repeated reminder. Kindly note upstream includes a ubuntu repo that fixes this problem. Interested people can get the answer to this problem by following this link:

https://downloads.mariadb.org/mariadb/repositories/#distro=Ubuntu&distro_release=focal--ubuntu_focal&mirror=digitalocean-sfo&version=10.5

As of this writing, the steps to fix this bug without waiting or relying on Ubuntu/Canonical is:

sudo apt-get install software-properties-common
sudo apt-key adv --fetch-keys 'https://mariadb.org/mariadb_release_signing_key.asc'
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] http://sfo1.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu focal main'

Otto, with that you can close this report.

Revision history for this message
Otto Kekäläinen (otto) wrote :

You are now comparing to an upstream version that is
1. Version 10.5 in upstream, not 10.3 as in Ubuntu
2. Built against OpenSSL in upstream, not against YaSSL as Debian/Ubuntu policy requires

I would keep this report open as a documentation that SSL/TLS for MariaDB 10.3 in Ubuntu 20.04 does not work at the moment.

Revision history for this message
Otto Kekäläinen (otto) wrote :

We could in theory backport https://github.com/mariadb/server/commit/5e4b657dd44dce601c91bc77a41f6e382bc32000 to MariaDB 10.3 in Ubuntu, if the Ubuntu 20.04 "release managers" would allow such a stable update upload.

Somebody would need to step up and champion for it. I don't have the time to take on me the communication effort it would need.

Related upstream issue: https://jira.mariadb.org/browse/MDEV-18531

summary: - Focal requires tls > mariadb rev
+ Ubuntu 20.04 requires TLSv1.2 while MariaDB 10.3/YaSSL only supports max
+ TLSv1.1
Changed in mariadb-10.3 (Ubuntu):
status: New → Confirmed
Revision history for this message
Otto Kekäläinen (otto) wrote :

This will never be fixed for MariaDB 10.3, but is has been fixed for MariaDB 10.5 since it was allowed to use OpenSSL in Debian:
https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/ca2574aa88434d1c49456c677b7dcb904902daaf

And we are even automatically testing SSL connections in Salsa-CI:
https://salsa.debian.org/mariadb-team/mariadb-10.5/-/commit/23376b43714be4dbb53782b3ef1fa7b7eff24daf

Changed in mariadb-10.3 (Ubuntu):
status: Confirmed → Won't Fix
Changed in mariadb-10.5 (Ubuntu):
status: New → Fix Released
assignee: nobody → Otto Kekäläinen (otto)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.