Results 1 to 5 of 5

Thread: MariaDB TLS version from official repos [18.04]

  1. #1
    Join Date
    Jun 2019
    Beans
    3

    MariaDB TLS version from official repos [18.04]

    Hi,

    sorry to post this very basic question but I'm wondering if someone can help me clarify the version of TLS included from the official 18.04 repos for mariadb.

    AFAIK TLS is somewhat broken up to (not inclusive) TLS 1.2. The MariaDB that is included in the repos is compiled with YaSSL version 2.4.4, but I'm having difficulties pinning down exactly the TLS version that my server is running.

    On the official website of YaSSL https://www.wolfssl.com/products/yassl/ it says it supports TLS up to version 1.1, but this is for version 2.4.2, from 2016, while there has been a newer version, the 2.4.4 which is installed on my system released on 08/08/2017, but the release notes I've been able to dig up are rather scarce.

    Can anyone verify whether or not this version only has TLS 1.1? I'm just wondering if it's worth the effort to use a version that's not in the official repo.
    Last edited by simernes; 4 Days Ago at 03:15 PM.

  2. #2
    Join Date
    Jan 2017
    Beans
    73

    Re: MariaDB TLS version from official repos [18.04]

    Looks like mariadb-10.1 is hard coded to use <= TLS 1.1

    From the mariadb source code here: https://github.com/MariaDB/server/bl...shake.cpp#L789
    Code:
               /*
                  According to RFC 4346 (see "7.4.1.3. Server Hello"), the Server Hello
                 packet needs to specify the highest supported TLS version, but not
                  higher than what client requests. YaSSL highest supported version is
                  TLSv1.1 (=3.2) - if the client requests a higher version, downgrade it
                  here to 3.2.
                  See also Appendix E of RFC 5246 (TLS 1.2)
                */
    
    HTH

  3. #3
    Join Date
    Jun 2019
    Beans
    3

    Re: MariaDB TLS version from official repos [18.04]

    Is this implementation affected by any security vulnerabilities? I'm reading all over the internet that TLS 1.1 should be updated so I'm just wondering why this is kept in the Ubuntu repos.

  4. #4
    Join Date
    Jan 2017
    Beans
    73

    Re: MariaDB TLS version from official repos [18.04]

    I don't know much about this. Your post piqued my curiosity so I took a peek at the source code and found the above information.

    Upstream, Mariadb 10.4.5 is a release candidate and uses wolfssl which supports <= TLS 1.3.
    https://github.com/MariaDB/server/tr.../extra/wolfssl
    https://github.com/wolfSSL/wolfssl/b...ster/README.md

    There's no telling when 10.4.5 will be released and then incorporated into Ubuntu. The Disco Dingo (19.04) repo contains Mariadb-10.3.

    There is a 10.4.5 Deb package available from Mariadb: https://downloads.mariadb.org/mariad...up=deb_package

  5. #5
    Join Date
    Jun 2019
    Beans
    3

    Re: MariaDB TLS version from official repos [18.04]

    Thanks norobro, I didn't find that deb right away when I was looking and it's a good alternative to using a repo in terms of maintaining it as at least for me they appear a little easier to remove than installing from source in some cases.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •