[debian-mysql] Bug#875457: Bug#875457: mariadb-server-10.1: Only supports certificates signed with SHA1 which is insecure

Kristian Kocher kristian.kocher at it.ox.ac.uk
Mon Sep 11 15:16:53 UTC 2017 

On 11/09/17 15:37, Ondřej Surý wrote:
> Hi Kristian,
>
> could you please be more specific? What did you try, what works and
> what doesn't. Any error messages you get, and the exact configuration
> would also be helpful. 
>
> Ondřej 
>
> On Mon 11 Sep 2017, 16:21 Kristian Kocher <kristian.kocher at it.ox.ac.uk
> <mailto:kristian.kocher at it.ox.ac.uk>> wrote:
>
>     Package: mariadb-server-10.1
>     Version: 10.1.26-0+deb9u1
>     Severity: important
>
>     Dear Maintainer,
>
>     At the moment it is only possible to have encrypted communications
>     using certificates signed with SHA1 but this is considered insecure.
>
>     Kind regards,
>
>     Kristian
>
>     _______________________________________________
>     pkg-mysql-maint mailing list
>     pkg-mysql-maint at lists.alioth.debian.org
>     <mailto:pkg-mysql-maint at lists.alioth.debian.org>
>     http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mysql-maint
>
> -- 
> Ondřej Surý <ondrej at sury.org <mailto:ondrej at sury.org>>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
> Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
> fast DNS(SEC) resolver
> Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby
> pro pečení chleba všeho druhu
Hi Ondřej,

Thank you for looking into this.
I have tried using a certificate from a real CA that signs certificates
with SHA256, but clients could not connect using ssl (the error message
was: ERROR 2026 (HY000): SSL connection error: protocol version mismatch).
Without changing the config, but just using a self signed certificate
signed using SHA1 everything works fine.

It looks like it might be the version of YaSSL used in the package does
not support SHA256.

Kind regards,

Kristian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20170911/fb9233f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mysql-maint/attachments/20170911/fb9233f6/attachment.sig>

More information about the pkg-mysql-maint mailing list