Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in man/Ssl_cipher_list, not supported

Bug #1622034 reported by Sveta Smirnova on 2016-09-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server
Status tracked in 5.7
5.5
Medium
Laurynas Biveinis
5.6
Medium
Laurynas Biveinis
5.7
Medium
Laurynas Biveinis

Bug Description

Description:
Cipher ECDHE-RSA-AES128-GCM-SHA256 listed in the list of supported ciphers at https://dev.mysql.com/doc/refman/5.7/en/secure-connection-protocols-ciphers.html, but practically it is not supported.

How to repeat:
Download 5.7.15, start it with SSL support. Try to connect using ECDHE-RSA-AES128-GCM-SHA256.

Suggested fix:
Support ECDHE-RSA-AES128-GCM-SHA256.

Customer provided a patch which fixes the issue:

-bash-4.1$ cat patches/viossl.patch
--- percona-server-5.6.31-77.0/vio/viosslfactories.c.orig 2016-07-26 02:51:18.881251868 +0000
+++ percona-server-5.6.31-77.0/vio/viosslfactories.c 2016-07-26 18:30:45.016767477 +0000
@@ -329,6 +329,7 @@
const long ssl_ctx_flags)
{
DH *dh;
+ EC_KEY *ecdh;
struct st_VioSSLFd *ssl_fd;
long ssl_ctx_options= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
int ret_set_cipherlist= 0;
@@ -498,6 +499,18 @@
}
DH_free(dh);

+ /* ECDH stuff */
+ ecdh = EC_KEY_new_by_curve_name (NID_X9_62_prime256v1);
+ if (! ecdh)
+ {
+ DBUG_PRINT("error", ("ECDH key fail"));
+ }
+ if (1 != SSL_CTX_set_tmp_ecdh (ssl_fd->ssl_context, ecdh))
+ {
+ DBUG_PRINT("error", ("ECDH set fail"));
+ }
+ EC_KEY_free (ecdh);
+
DBUG_PRINT("exit", ("OK 1"));

DBUG_RETURN(ssl_fd);

This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.