# percona56-server with TLSv1.2



## bibi (Jan 4, 2017)

Hello,

I have tried installing percona56-server from the ports with the OpenSSL option checked ( as it is by default ) and I have completed the SSL setup and get everything to work properly except that I am stuck with TLSv1.

```
mysql> \s;
--------------
mysql  Ver 14.14 Distrib 5.6.33-79.0 Percona, for FreeBSD11.0 (amd64) using  EditLine wrapper

Connection id:          1
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is AES256-SHA

mysql> show variables like "%tls%";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_tlsv1_2  | NO    |
| tls_version   | TLSv1 |
+---------------+-------+
```
I tried forcing in my my.cnf the TLS version to tls_version=TLSv1.2 but then I get a warning message in the log file:

```
2017-01-04 13:09:17 30167 [Warning] Failed to setup SSL
2017-01-04 13:09:17 30167 [Warning] SSL error: NUL
```
and then SSL is disabled when I connect to the server.

```
Current user:           root@localhost
SSL:                    Not in use
```
Any idea how to get TLSv1.2 working?
Thanks


----------



## SirDice (Jan 4, 2017)

You need to build it using the OpenSSL port instead of the base OpenSSL.

Add to /etc/make.conf:

```
DEFAULT_VERSIONS+= ssl=openssl
```


----------



## bibi (Jan 4, 2017)

Hello, yes sorry forgot to mention that part, i already have this in my /etc/make.conf


----------



## SirDice (Jan 4, 2017)

Can you post the output from `pkg info -d percona56-server`?


----------



## bibi (Jan 4, 2017)

```
db /root >pkg info -d percona56-server
percona56-server-5.6.33.79.0:
        indexinfo-0.2.6
        perl5-5.24.1.r4_1
        percona56-client-5.6.33.79.0
```

and the Makefile in the ports tree has the following lines with SSL:


```
OPTIONS_DEFINE= OPENSSL FASTMTX INNODBMEMCACHED TOKUDB
OPTIONS_DEFAULT=        OPENSSL INNODBMEMCACHED
OPENSSL_CMAKE_ON=       -DWITH_SSL=bundled
```


----------



## SirDice (Jan 4, 2017)

Odd, if I read this correctly TLSv1.0 should be disabled by default. 

https://www.percona.com/doc/percona-server/5.6/flexibility/extended_tls_support.html


----------



## bibi (Jan 4, 2017)

yes exactly came accross that too on the percona website, really weird to me


----------



## SirDice (Jan 4, 2017)

Try not setting any TLS related settings (like the aforementioned tls_version) and let it figure it out automatically. Perhaps setting some specific options actually makes it fall-back to TLSv1.


----------



## bibi (Jan 4, 2017)

I have removed all ssl settings from my my.cnf, i.e. ssl-cipher / tls_version. The only SSL settings that I have are:


```
ssl-ca=/usr/local/etc/mysql/ca-cert.pem
ssl-cert=/usr/local/etc/mysql/server-cert.pem
ssl-key=/usr/local/etc/mysql/server-key.pem
```

and here's what i get:


```
mysql> \s;
--------------
mysql  Ver 14.14 Distrib 5.6.33-79.0 Percona, for FreeBSD11.0 (amd64) using  EditLine wrapper
Connection id:          1
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
```

and


```
mysql> show variables like "%tls%";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_tlsv1_2  | NO    |
| tls_version   | TLSv1 |
+---------------+-------+
```

so basically apart from the ciphers that have changed still facing the same issue


----------



## bibi (Jan 5, 2017)

I have changed the /usr/ports/databases/percona56-server/Makefile with the following:


```
OPENSSL_CMAKE_ON=       -DWITH_SSL=yes
```

Now I am having the proper settings for the server:


```
mysql> SHOW GLOBAL VARIABLES LIKE '%tls%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_tlsv1_2  | YES             |
| tls_version   | TLSv1.1,TLSv1.2 |
+---------------+-----------------+
2 rows in set (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE '%ssl%';
+---------------+--------------------------------------+
| Variable_name | Value                                |
+---------------+--------------------------------------+
| have_openssl  | YES                                  |
| have_ssl      | YES                                  |
| ssl_ca        | /usr/local/etc/mysql/ca-cert.pem     |
| ssl_capath    |                                      |
| ssl_cert      | /usr/local/etc/mysql/server-cert.pem |
| ssl_cipher    |                                      |
| ssl_crl       |                                      |
| ssl_crlpath   |                                      |
| ssl_key       | /usr/local/etc/mysql/server-key.pem  |
+---------------+--------------------------------------+
9 rows in set (0.00 sec)
```

So it seems fine from the server side...but now the client part is posing problems when i want to use SSL to connect:


```
db /root > mysql -u root -pt0t0 --ssl-cert=/usr/local/etc/mysql/client-cert.pem --ssl-key=/usr/local/etc/mysql/client-key.pem
Warning: Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
```


----------



## SirDice (Jan 5, 2017)

I'm betting you need to use the same "trick" for the client. I would also suggest creating a PR for it, so the maintainer can fix the port.


----------



## bibi (Jan 5, 2017)

Unfortunately the same trick for the client doesn't seem to work. Added the same argument in /usr/ports/databases/percona56-client/Makefile. Still getting the same issue.

I have installed on another FreeBSD-11 server /usr/ports/databases/mysql57-client/ then generated client certificates and tried to connect to the Percona 5.6 on the other machine, it works well:

`mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.7.15, for FreeBSD11.0 (amd64) using  EditLine wrapper
...
SSL:                    Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
...
Server version:         5.6.33-79.0 Source distribution`

`mysql> show status like 'ssl_version';
+---------------+---------+
| Variable_name | Value   |
+---------------+---------+
| Ssl_version   | TLSv1.2 |
+---------------+---------+
1 row in set (0.00 sec)`

Will create a PR anyhow. Thanks for your help!


----------

