我有一个运行在debian上的mariadb服务器。(版本:10.3.34-MariaDB-0+ deb 10 u1-登录Debian 10)
我使用了存储库中的包,所以它是用YaSSL(版本2.4.4)编译的。
因此,服务器的最新SSL版本是TLS1.1。
在客户端上,我使用Ubuntu 22.04(5.15.0-52-通用)。
mariadb客户端似乎使用本地安装的openssl(3.0.2 2022年3月15日)
当我尝试连接到mariadb服务器时
使用以下命令:
如果您有任何问题,请联系我们。如果您有问题,请联系我们。
我得到这个错误:
错误2026(HY 000):SSL连接错误:没有可用的协议
好了,看来,我得在客户端手动激活TLSv1.1了。
因此我创建了一个额外的cnf-file,其中包含以下行:
openssl_conf =默认配置
[预设配置] ssl配置= ssl区段
[ssl_sect]系统默认值=系统默认值_sect
[系统默认节]最小协议= TLSv1.1密码字符串=默认值@SECLEVEL=1
然后使用以下命令激活它:
导出OPENSSL_CONF=/etc/ssl/不安全.cnf
当我再次尝试连接时,出现以下错误:
错误2026(HY 000):SSL连接错误:已禁用不安全的旧版重新协商
好的,我需要激活不安全的遗留重新协商。
因此,我在cnf文件的[system_default_sect]中添加了以下行:
选项=不安全的旧版重新协商
但当我再次尝试连接时,我收到此错误:
错误2026(HY 000):SSL连接错误:内部错误[专业]计
cnf文件中是否有错误?
或者,是否无法同时激活“UnsafeLegacyRenegotiation”和“TLSv1.1”?
感谢您的任何帮助或提示!
EDIT:添加了此命令的输出:
- ---------------------------------------------------------------------------------------------------------------------python.fairtragen.de:3306
CONNECTED(00000003)
depth=0 CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = python@fairtragen.de, C = DE
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = python@fairtragen.de, C = DE
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = python@fairtragen.de, C = DE
verify return:1
40F70087447F0000:error:0A0C0103:SSL routines:tls_process_key_exchange:internal error:../ssl/statem/statem_clnt.c:2248:
---
Certificate chain
0 s:CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = python@fairtragen.de, C = DE
i:C = DE, ST = Some-State, O = fairtragen GmbH, CN = fairCA, emailAddress = fellows@fairtragen.de
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 20 00:00:00 2021 GMT; NotAfter: Apr 20 00:00:00 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEdDCCAlwCAQAwDQYJKoZIhvcNAQELBQAwczELMAkGA1UEBhMCREUxEzARBgNV
BAgMClNvbWUtU3RhdGUxGDAWBgNVBAoMD2ZhaXJ0cmFnZW4gR21iSDEPMA0GA1UE
AwwGZmFpckNBMSQwIgYJKoZIhvcNAQkBFhVmZWxsb3dzQGZhaXJ0cmFnZW4uZGUw
IhgPMjAyMTA0MjAwMDAwMDBaGA8yMDMxMDQyMDAwMDAwMFowgYgxHTAbBgNVBAMM
FHB5dGhvbi5mYWlydHJhZ2VuLmRlMQ8wDQYDVQQHDAZCcmVtZW4xGDAWBgNVBAoM
D2ZhaXJ0cmFnZW4gR21iSDEKMAgGA1UECwwBIDEjMCEGCSqGSIb3DQEJARYUcHl0
aG9uQGZhaXJ0cmFnZW4uZGUxCzAJBgNVBAYTAkRFMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtvTsn5+GCuhFztfyzLG8T3YQNf3/jmMIP/rZKCTC6D+K
neKeXBUBkWyPT7398h8lJtfZhfK6TRPR4VmrCnxYuWJL2LdwSACcRcyA0rRgE9SC
8Y7LJulcyetl/JjQAXY6/wFdMcEHRqlCzyTEqumsJsImcE2hHbnNIHd9OukmB8Qq
oS1/e6fKQTjvR90huIyRhHtCMFYiAglCMbmPRuFflzFZ6cULdL0Se7oiLIbsdamV
oFUXk3crcZP3EAR0UMqZ/hQN8vTphDHOngOuss/ORBo0ezxTOXC2Gpmz5RmJKWbN
Ch5tUgIgPEK/cdiz7LnA/CbDXKsWlnEfhoVfL00shwIDAQABMA0GCSqGSIb3DQEB
CwUAA4ICAQAJtzQxuGNHlS5LYJkx2CTJTm44PmbuKOfuR8qwjAnsfDHuevADjwCf
aeH9D5pxpdYFdH8Ll9RzynxTAIHQQLcBzIrTCbouQwOZqpNXszbJhrKjEJ+yOJjM
+LnYfnQRttC6G7gjTHIOixLwOeaRuMCwaZXCYitwPR+6PCfQG+4AFZlOvNIOQDlD
arDJJoAXgE0RH+YlVfyNcSZUMaxOJYK4awN8/5lCLsCk8CZ2/mfOz9DdCKirou5U
Z+Sbu4zPLF49F1xXVK7+omdys57dCXto6ykWahXtrMH/A4JjIsf4GBv2s/im9PTK
9tXPBjk6VT6ZsSCBHa62hzvTiZMzRRBLNlPMldbQerO6/Q/18DueoYT1+e6/Aw3k
/nXgnB7Ztjbemuj1D22MNSHyclRt5ifUskGGLc0nl54rJQCnhTdZW6UwDyCpSDU8
n82Omclgfndyt71I3ecxsCduhHjd+5Nn7e2sIyttPhHLeP6hTbjgDwgSAeHjrjD+
VeKBoahnyXqhWMNQPhkgqPQH6VEQjAaB7NwewfiNziWy3Nd+ThgHJFNP9vHYyeju
2IaE+JBegGgxus0/IQeFTkGuZat7cEMoHE9TQEeGJ6fpqTyeEuqVG/ulAm5qT6zy
ZGOI/RjKGo68AqISogpA2vcWel/h//qyYDQ/683MtPDwef2uKbcH6g==
-----END CERTIFICATE-----
subject=CN = python.fairtragen.de, L = Bremen, O = fairtragen GmbH, OU = " ", emailAddress = python@fairtragen.de, C = DE
issuer=C = DE, ST = Some-State, O = fairtragen GmbH, CN = fairCA, emailAddress = fellows@fairtragen.de
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2131 bytes and written 176 bytes
Verification error: unable to verify the first certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID: E81DDD60800D1F4505F5A5D0A273E776EAEDDAF205BD2195092D7132EAAC0F53
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1666861958
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
2条答案
按热度按时间e37o9pze1#
我找到了这个解决方案:
在客户端上:
从源代码编译openssl 1.1.1
并安装到/usr/local
从源代码编译mariadb 10.9,指定上述openssl版本
并安装到/usr/local
运行此命令时,客户端连接到服务器!
失败原因:
7bsow1i62#
OpenSSL 3.0需要来自另一端的重新协商支持,而Yassl不支持。
添加后
到临时openssl.cnf文件,重新协商错误消失,但OpenSSL 3.0客户端会引发警报“Internal Error(80)”,并在握手后终止连接。
我在MariaDB Bug系统中提交了一个issue。由于我们已经在最近的服务器版本中用WolfSSL替换了Yassl,所以它可能不会被修复。
作为一种变通办法,我建议: