SSL Connection Problems

Discussion of open issues, suggestions and bugs regarding ADO.NET provider for MySQL
Post Reply
sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

SSL Connection Problems

Post by sumit » Mon 30 Aug 2010 14:58

Hi,

We are running a MySQL server version 5.0.86 with OpenSSL enabled and are having problems connecting to it using 3.55.17 version of the CoreLab.MySql drivers when the "SSL Cipher List" is specified in the connection string.

When using SSL Cipher List, the connection string looks like:
User Id=user;Password=pwd;Host=dbHost;Port=3306;Database=dbName;Direct=True;Unicode=True;Protocol=Ssl;Connection Timeout=120;Pooling=True;Connection Lifetime=1800;SSL Cipher List=DHE-RSA-AES256-SHA;SSL CA Cert=file://C:\ca-cert.pem;

On an attempt to connect, we receive the following error:
This algorithms are not supported.
at CoreLab.MySql.j.a(String A_0)
at CoreLab.MySql.j.b(String A_0)
at CoreLab.MySql.j.e(String A_0)
at CoreLab.MySql.b.a(String A_0, String A_1, String A_2, String A_3, Int32 A_4, String A_5, Int32 A_6, SshOptions A_7, SslOptions A_8)
at CoreLab.MySql.MySqlInternalConnection.Connect(String userId, String password, String host, String database, Int32 port, Int32 connectionTimeout, MySqlProtocol protocol, Boolean compress)
at CoreLab.MySql.MySqlInternalConnection..ctor(ac connectionOptions)
at CoreLab.MySql.a7.a(DbConnectionOptions A_0, Object A_1, DbConnectionBase A_2)
at CoreLab.Common.DbConnectionFactory.a(DbConnectionPool A_0, DbConnectionOptions A_1)
at CoreLab.Common.DbConnectionPoolGroup.c(DbConnectionPool A_0)
at CoreLab.Common.DbConnectionPool.a()
at CoreLab.Common.DbConnectionPool.GetObject()
at CoreLab.Common.DbConnectionFactory.a(DbConnectionBase A_0)
at CoreLab.Common.DbConnectionClosed.Open(DbConnectionBase outerConnection)
at CoreLab.Common.DbConnectionBase.Open()
at CoreLab.MySql.MySqlConnection.Open()

When we do not include the SSL Cipher List in the connection string or use "ALL" instead of "DHE-RSA-AES256-SHA", the connection succeeds and I can see from the server that it is using "DHE-RSA-AES256-SHA" cipher for the connection. Also, we tried specifying the Cipher using SQLYog and that works which makes me believe that the issue lies on the client side.

Can you provide more information on this? Is this a bug or something that we are doing wrong?

On a side note, the newer version of your Devart.Data.MySql (5.20.33) driver does not even connect over SSL using the same connection string above without SSL Cipher List. It gives a generic SSL exception. When we specify the Cipher List, it throws the same exception "This algorithms are not supported".

Our immediate concern is with using version 3.55.17. However, we will need support with the 5.20.33 version soon as well.

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Wed 01 Sep 2010 16:21

1. Here is a list of ciphers that are supported by dotConnect for MySQL:
http://www.devart.com/dotconnect/mysql/ ... rList.html.
There is no DHE-RSA-AES256-SHA in this list. Could you please tell us how did you determine that the cipher of the "SSL Cipher List=ALL;" connection is DHE-RSA-AES256-SHA?

2.
On a side note, the newer version of your Devart.Data.MySql (5.20.33) driver does not even connect over SSL using the same connection string above without SSL Cipher List.
I have checked the latest (6.0.10) version of dotConnect for MySQL. It works without SSL Cipher List. Please try it and notify us about the results.

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Wed 01 Sep 2010 19:08

Thanks for the link to the list of supported ciphers.
Shalex wrote:Could you please tell us how did you determine that the cipher of the "SSL Cipher List=ALL;" connection is DHE-RSA-AES256-SHA?
When you are connected over SSL to the database, you can issue the following command to find the cipher in use for the current connection:
SHOW STATUS LIKE 'Ssl_cipher';
I have checked the latest (6.0.10) version of dotConnect for MySQL. It works without SSL Cipher List. Please try it and notify us about the results.
Thanks for checking. So is there a problem with version 5.20.33? Do we have to upgrade our product to use a newer version of the drivers if we want to use SSL? I tried to download the latest version using our license login and the max version it lets me download is version dcmysql550pro.

Shalex
Site Admin
Posts: 9543
Joined: Thu 14 Aug 2008 12:44

Post by Shalex » Thu 02 Sep 2010 17:05

sumit wrote:When you are connected over SSL to the database, you can issue the following command to find the cipher in use for the current connection:
SHOW STATUS LIKE 'Ssl_cipher';
I have opened the SSL connection without specifying SSL Cipher List using the 6.0.10 version of dotConnect for MySQL and obtained the "AES256-SHA" value.
sumit wrote: Thanks for checking. So is there a problem with version 5.20.33? Do we have to upgrade our product to use a newer version of the drivers if we want to use SSL? I tried to download the latest version using our license login and the max version it lets me download is version dcmysql550pro.
I confirm that the 5.20.33 version throws "SSL connection error (2026)" without specifying SSL Cipher List, but 6.0.10 works OK. Please contact our sales department (sales at devart*com) to check the status of your subscription and to get information how to upgrade if the subscription has expired.

sumit
Posts: 62
Joined: Wed 03 Jan 2007 22:23

Post by sumit » Wed 08 Sep 2010 00:21

Shalex wrote:I have opened the SSL connection without specifying SSL Cipher List using the 6.0.10 version of dotConnect for MySQL and obtained the "AES256-SHA" value.
Sorry for the confusion, it shows AES256-SHA to me as well. The other cipher is what I see when I connect using SqlYog.

Post Reply