Since the latest openssl upgrade on my Debian server, my mysql clients are unable to connect and give the following message
SSL connection error: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small
I guess this is to prevent Logjam attacks.
Thanks to https://weakdh.org/sysadmin.html I know how I can generate stronger Diffie-Hellman parameters. However, I don't find any MySQL configuration option to actually use those.
Does anyone know?
Best Answer
The MySQL 5.7.6 release notes contain the following:
Security Fix: Due to the LogJam issue (https://weakdh.org/), OpenSSL has changed the Diffie-Hellman key length parameters for openssl-1.0.1n and up. OpenSSL has provided a detailed explanation at http://openssl.org/news/secadv_20150611.txt. To adopt this change in MySQL, the key length used in vio/viosslfactories.c for creating Diffie-Hellman keys has been increased from 512 to 2,048 bits. (Bug #77275, Bug #21221862, Bug #18367167, Bug #21307471)
It appears from this that the DH size was hardcoded to 512 bits in MySQL before 5.7.6 (permanent logjam?). As later versions of OpenSSL reject these weak keys upgrading OpenSSL without upgrading MySQL appears to break things.