Am 17.03.2015 um 14:25 schrieb Bhushan Rane:
Thanks for instant reply.As suggested I tried with ECDHE-RSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-SHA but no luck. Created new certs for EC - configured my.cnf with new certs
you *did not* really read my reply > MySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA > (AES256 is supported but not more secure than AES128) > > * no ECHDE > * no AES-GCM > * no SHA256
==================== Below are commands used for cert creation :- /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_root.key -name secp384r1 -genkey echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nCAServer\n\n\n" | /opt/scr-openssl/ssl/bin/openssl req -new -x509 -days 365 -key ecc_ecdsa_root.key -out ecc_ecdsa_root.pem /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_ca.key -name secp384r1 -genkey echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLServer\n\n\n" | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_ca.key -out ecc_ecdsa_ca.csr /opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_1.ext -days 365 -in ecc_ecdsa_ca.csr -CA ecc_ecdsa_root.pem -CAkey ecc_ecdsa_root.key -out ecc_ecdsa_ca.pem -CAcreateserial /opt/scr-openssl/ssl/bin/openssl ecparam -out ecc_ecdsa_client.key -name secp384r1 -genkey echo -e "US\nObt\nIntelSelfSA\nSSG\nTesters\nMySQLClient\n\n\n" | /opt/scr-openssl/ssl/bin/openssl req -new -key ecc_ecdsa_client.key -out ecc_ecdsa_client.csr /opt/scr-openssl/ssl/bin/openssl x509 -req -extensions v3_ca -extfile x509_2.ext -days 365 -in ecc_ecdsa_client.csr -CA ecc_ecdsa_ca.pem -CAkey ecc_ecdsa_ca.key -out ecc_ecdsa_client.pem -CAcreateserial ====================mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256 -T -vEnter password: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2728, Integral resident set size 0 Non-physical pagefaults 793, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 3, Involuntary context switches 3mysql -uroot -p --ssl-cipher=ECDHE-RSA-AES128-SHA -T -vEnter password: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) User time 0.00, System time 0.00 Maximum resident set size 2748, Integral resident set size 0 Non-physical pagefaults 798, Physical pagefaults 0, Swaps 0 Blocks in 0 out 0, Messages in 0 out 0, Signals 0 Voluntary context switches 4, Involuntary context switches 5 ==================== Also, check openssl - used openssl supports EC ciphers listed above. Am 17.03.2015 um 13:21 schrieb Bhushan Rane:I have compiled MySQL with openssl, I am able to connect to MySQL over SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers connection fails with errorMySQL / MariaDB don't support anything better than DHE-RSA-AES128-SHA (AES256 is supported but not more secure than AES128) * no ECHDE * no AES-GCM * no SHA256 no idea how they manage that because openssl has support ___________________________________ ssl-cipher=DHE-RSA-AES256-SHA256 ssl-cipher=AES256-SHA256 are not supported and don't make much sense anyways ___________________________________ the currently best ciphersuite would be the following because AES-GCM is hardware optimized on recent machines (Intel AES) and GCM is *always* better than a stupid CBC cipher ECDHE-RSA-AES128-GCM-SHA256
signature.asc
Description: OpenPGP digital signature
