Since the latest openssl upgrade on my Debian server, my mysql clients are unable to connect and give the following message
SSL connection error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
I guess this is to prevent Logjam attacks.
Thanks to https://weakdh.org/sysadmin.html I know how I can generate stronger Diffie-Hellman parameters. However, I don't find any MySQL configuration option to actually use those.
Does anyone know?
The MySQL 5.7.6 release notes contain the following:
Security Fix: Due to the LogJam issue (https://weakdh.org/), OpenSSL has changed the Diffie-Hellman key length parameters for openssl-1.0.1n and up. OpenSSL has provided a detailed explanation at http://openssl.org/news/secadv_20150611.txt. To adopt this change in MySQL, the key length used in vio/viosslfactories.c for creating Diffie-Hellman keys has been increased from 512 to 2,048 bits. (Bug #77275, Bug #21221862, Bug #18367167, Bug #21307471)
It appears from this that the DH size was hardcoded to 512 bits in MySQL before 5.7.6 (permanent logjam?). As later versions of OpenSSL reject these weak keys upgrading OpenSSL without upgrading MySQL appears to break things.
We were able to fix our connection problems by forcing the use of a non-Diffie-Hellman SSL cipher.
With our mysql 5.5.42 Linux client we had success with specifying the
--ssl-cipher=AES256-SHA
command line option, as specified in this bug report.Our (Java7) MySQL 5.1.35 jdbc client, however, did not like that cipher, but worked when we specified
enabledSSLCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA
in our connection string, as recommended here.YMMV