Bug#1032074: libdbd-mysql-perl: Also a problem with /usr/bin/mysql
Russell King
rmk+debian at armlinux.org.uk
Wed Jun 21 14:27:27 BST 2023
Package: libdbd-mysql-perl
Version: 4.050-5+b1
Followup-For: Bug #1032074
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upgrading from Debian Buster to Debian Bookworm.
I have custom perl scripts that run my Linux Kernel patch management
system which make use of DBD::mysql to contact a MariaDB server in
another VM. The MariaDB server is running Debian Buster.
Capturing traffic on port 3306 and examining with wireshark reveals
that when a Debian Buster system is used to connect to the Debian
Buster MariaDB server, it uses TLS v1.3.
However, Debian Bookworm's DBD::mysql uses TLS v1.1, as does
/usr/bin/mysql. This means that if a recent non-buggy TLS version is
required to connect to a Debian Buster mariadb, Debian Bookworm
systems are incompatible due to the lower TLS version that they
support.
I have tried configuring a minimum TLS version in /etc/ssl/openssl.cnf
to increase the security level via:
[openssl_init]
+ssl_conf = ssl_sect
+[ssl_sect]
+system_default = system_default_sect
+[system_default_sect]
+MinProtocol = TLSv1.2
+CipherString = DEFAULT at SECLEVEL=2
but this still results in DBD::mysql using TLS v1.1.
This obviously causes a regression where the mariadb server is set to
a modern minimum non-buggy security level, and thus has *security*
implications given that TLS v1.1 is no longer regarded as secure.
I suspect this is a problem with mariadb shipped with Debian Bookworm
rather than being specific to the perl DBD driver.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: armhf (armv7l)
Kernel: Linux 6.1.0+ (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libdbd-mysql-perl depends on:
ii libc6 2.36-9
ii libdbi-perl [perl-dbdabi-94] 1.643-4
ii libmariadb3 1:10.11.3-1
ii perl 5.36.0-7
ii perl-base [perlapi-5.36.0] 5.36.0-7
libdbd-mysql-perl recommends no packages.
libdbd-mysql-perl suggests no packages.
-- no debconf information
More information about the pkg-perl-maintainers
mailing list