Skip to content
This repository has been archived by the owner on Sep 30, 2024. It is now read-only.

Hard-coded ciphersuite list incompatible with mariadb 10.1 on debian stretch #1294

Closed
kormat opened this issue Feb 2, 2021 · 0 comments · Fixed by #1295
Closed

Hard-coded ciphersuite list incompatible with mariadb 10.1 on debian stretch #1294

kormat opened this issue Feb 2, 2021 · 0 comments · Fixed by #1295
Assignees
@shlomi-noach

Comments

@kormat
Copy link
Contributor

kormat commented Feb 2, 2021

Currently there's a hard-coded list of accepted ciphersuites:

orchestrator/go/ssl/ssl.go

Lines 19 to 30 in df41873

var cipherSuites = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
}

This list hasn't been updated in 5 years. It also happens to be incompatible with Mariadb 10.1 on debian stretch:

2021-02-02 09:23:30 ERROR ReadTopologyInstance(HOSTNAME:3306) show global status like 'Uptime': remote error: tls: handshake failure back.
@kormat kormat mentioned this issue Feb 2, 2021
Merged
kormat added a commit to kormat/orchestrator that referenced this issue Feb 23, 2021
@kormat
Drop fixed list of cipher suites.
8e19b85 
The list of cipher suites hasn't been updated in 5 years, and the go
docs since go1.12 say that it defaults to secure ciphers.

Fixes openark#1294
@kormat kormat mentioned this issue Mar 4, 2021
Closed
@shlomi-noach shlomi-noach self-assigned this Mar 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@shlomi-noach shlomi-noach

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Drop fixed list of cipher suites. kormat/orchestrator
2 participants
@shlomi-noach @kormat