This is a read-only copy of the MariaDB Knowledgebase generated on 2024-11-16. For the latest, interactive version please visit https://mariadb.com/kb/.

MariaDB 10.4.13 and ECDHE cipher suites

Hello,

Does MariaDB actually implement ECDHE cipher suites or not ?

After several tests with clients supporting ECDHE ciphers and offering them during the "client hello", in "server hello" the chosen cipher never is ECDHE.

:(none)> SHOW GLOBAL VARIABLES LIKE 'have_openssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+
1 row in set (0.001 sec)
:(none)> SHOW GLOBAL VARIABLES LIKE 'version_ssl_library';
+---------------------+----------------------------------+
| Variable_name       | Value                            |
+---------------------+----------------------------------+
| version_ssl_library | OpenSSL 1.0.2k-fips  26 Jan 2017 |
+---------------------+----------------------------------+
1 row in set (0.001 sec)
~]# ldd /opt/mysql/na/10.4.13/sbin/mysqld | grep libcrypto
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f5024bfc000)

In my.cnf

...
ssl_cipher=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!aECDH:!RC4
...

So, could you please confirm if it is possible to negociate ECDHE ciphers with a MariaDB Server ?

Did I miss something ?

Thanks a lot.

Michel

Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.