Re: C5 recent openssl update breaks mysql SSL connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 08/18/2015 02:32 AM, Leon Fauster wrote:
Am 18.08.2015 um 11:27 schrieb lhecking@xxxxxxxxxxxxxxxxxxxxx:

Maybe so, but still a side issue. Openssl 0.9.8e was recently updated.
Some change in this update has broken something. I would like to understand
what, and so ought the package maintainers. C5 isn't EOL until March 2017.

rpm -q --changelog openssl-0.9.8e. You weren't clear which version you
upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1
(from March 2014, nevertheless), which works.

I would hazard a guess that this is the change causing your problem.

* Fri Jun 26 2015 Tomas Mraz <tmraz@xxxxxxxxxx> 0.9.8e-36
- also change the default DH parameters in s_server to 1024 bits

Here's some more info,

https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

RH must have backported this fix to 0.9.8e.

There seem to be many reports out there that the openssl update broke mysql,
but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1,
so you're most likely on your own. I'm quite ignorant of mysql, but it looks
like you may be able to get this to work again by changing the cipher in mysql
and regenerating your cert.

https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4



http://lists.centos.org/pipermail/centos/2015-July/153753.html

--
LF

That makes sense, and the issue is logjam vulnerability with DH cipher groups < 1024 bit.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux