https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41862
Bug ID: 41862
Summary: Encrypted database connection breaks with update to
Debian 12
Initiative type: ---
Sponsorship ---
status:
Product: Koha
Version: Main
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: Installation and upgrade (command-line installer)
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected],
[email protected]
Depends on: 36026
We are currently using the encrypted database connectionas described in Bug
36026 with Koha 24.11.12 under Debian 11 with no issue
When updating to Debian 12 the connection breaks with the error message:
DBIx::Class::Storage::DBI::catch {...} (): DBI Connection failed: DBI
connect('database=koha_instance;host=ourdbhost.de;port=3306;mysql_ssl=1;mysql_ssl_ca_file=/etc/ssl/certs/harica-ca.pem','koha_kohat',...)
failed: SSL connection error: Enforcing SSL encryption is not supported at
/usr/share/koha/lib/Koha/Database.pm line 75. at
/usr/share/koha/lib/Koha/Database.pm line 123
Some additional information:
- Database version: 11.8.3-MariaDB-deb12-log (on separate database server,
unchanged by update)
- DBD::mysql (4.004 ) 4.050
- DB connection can be established through koha-mysql and mysql/mariadb
commands
We’ve found a workaround editing Database.pm and adding the mysql_ssl_optional
option:
if ( $driver eq 'mysql' ) {
$attr->{mysql_enable_utf8} = 1;
+ $attr->{mysql_ssl_optional} = 1;
}
At the same time enforcing encryption through the database user with:
ALTER USER ... REQUIRE SSL;
We assume that the problem is in DBD::mysql and is related to the way
DBD::mysql (or Koha?) is enforcing SSL on the client side. As the workaround
shows, DBD::mysql is still able to start a secure connection if it's not
enforced that way.
** Related Debian bug report:
https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1032074 **
$ perl -MDBD::mysql -e 'print "DBD::mysql=", $DBD::mysql::VERSION, "\n"'
DBD::mysql=4.050
$ dpkg -l | egrep 'libdbd-mysql-perl|libmariadb|libmysqlclient'
ii libdbd-mysql-perl:amd64 4.050-5+b1
amd64 Perl5 database interface to the MariaDB/MySQL database
ii libmariadb3:amd64 1:10.11.14-0+deb12u2
amd64 MariaDB database client library
We changed nothing on the database server side during the upgrade of the Koha
server from Debian 11 to Debian 12. The database server is on Debian 13 already
and everything worked well with Koha 24.11 on Debian 11 but it stopped working
with Debian 12.
Documentation of DBD::mysql suggests this might not be the ideal solution:
https://metacpan.org/pod/DBD::mysql
'Setting mysql_ssl_optional to true disables strict SSL enforcement and makes
SSL connection optional. This option opens security hole for man-in-the-middle
attacks. Default value is false which means that mysql_ssl set to true enforce
SSL encryption.
This option was introduced in 4.043 version of DBD::mysql. Due to The BACKRONYM
and The Riddle vulnerabilities in libmysqlclient library, enforcement of SSL
encryption was not possbile and therefore mysql_ssl_optional=1 was effectively
set for all DBD::mysql versions prior to 4.043. Starting with 4.043, DBD::mysql
with mysql_ssl=1 could refuse connection to MySQL server if underlaying
libmysqlclient library is vulnerable. Option mysql_ssl_optional can be used to
make SSL connection vulnerable.'
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36026
[Bug 36026] Add TLS MySQL connection without mutual authentication
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
