• V S Murthy Sidagam's avatar
    Bug #21221862 NEWEST RHEL/CENTOS OPENSSL UPDATE BREAKS MYSQL DHE CIPHERS · dbbe747e
    V S Murthy Sidagam authored
    Description: The newest RHEL/CentOS/SL 6.6 openssl package
    (1.0.1e-30.el6_6.9; published around 6/4/2015) contains a fix for
    LogJam. RedHat's fix for this was to limit the use
    of any SSL DH key sizes to a minimum of 768 bits. This breaks any
    DHE SSL ciphers for MySQL clients as soon as you install the
    openssl update, since in vio/viosslfactories.c, the default
    DHPARAM is a 512 bit one. This cannot be changed in
    configuration/runtime; and needs a recompile. Because of this the
    client connection with --ssl-cipher=DHE-RSA-AES256-SHA is not
    able to connect the server.
    
    Analysis: Openssl has changed Diffie-Hellman key from the 512 to
    1024 due to some reasons(please see the details at
    http://openssl.org/news/secadv_20150611.txt) Because of this the client
    with DHE cipher is failing to connect the server. This change took
    place from the openssl-1.0.1n onwards.
    
    Fix: Similar bug fix is already pushed to mysql-5.7 under bug#18367167.
    Hence we backported the same fix to mysql-5.5 and mysql-5.6.
    dbbe747e
viosslfactories.c 11.3 KB