[debian-mysql] Bug#851132: Bug#851132: Bug#851132: Bug#851132: Bug#851132: Bug#851132: /usr/sbin/mysqld: ssl_ciphers not working; mariadb built without TLS support?

[Clint Byrum]

Excerpts from Georg Richter's message of 2017-01-19 20:04:19 +0100:
> Hi Clint,
> 
> I didn't check the compatibility layer for TLS/SSL stuff, there is no layer
> for crypto and hashing. I did a quick hack framework for crypto wrapper
> (supporting OpenSSL, WolfSSL and GnuTLS) at http://github.com/9EOR9/mrl.
> 
> A main difference between OpenSSL and WolfSSL is, that WolfSSL expects
> always a  ca from client - if you don't specify one verification needs to
> be skipped/turned off explicitly - I'm also not sure if the compatibility
> layer works well  for OpenSSL 1.1 (which had a bunch of incompatible API
> changes).
> 
> The best solution  for MariaDB would be a wrapper library which could be
> used by both MariaDB Server and Connector/C - however WolfSSL would not fit
> for LGPL licensed Connector/C since it's GPL/commercial licensed.
> 
> Also the GnuTLS compatibility layer didn't work well, another hack/proof of
> concept  for Yassl replacement by GnuTLS can be found at
> https://github.com/MariaDB/server/tree/10.2-good_bye_yassl.
> 
> We are aware of all the Yassl problems (no TLS v.1.2 and 1.3, no session
> ticket support, no session renegotiation, missing ciphers, limited block
> cipher support, etc) and are working on it. Connector/C 3.0 already
> supports GnuTLS beside OpenSSL, and SChannel for Windows platforms.
> 

What a mess!

Note that WolfSSL includes WolfCrypt, so there are at least native crypto
primitives, just not in the OpenSSL compat layer.

However, it sounds like the way to go is probably to just use GnuTLS's
API directly rather than try and make it all work with the compatibility
layers.

IMO this is going to have to be addressed _rapidly_, as it sounds like
YaSSL is a security nightmare at this point.