PSV: Patch system offline due to system upgrade
Russell King (Oracle)
linux at armlinux.org.uk
Wed Jun 21 05:27:53 PDT 2023
On Wed, Jun 21, 2023 at 12:53:20PM +0100, Russell King (Oracle) wrote:
> All,
>
> Sorry, but the patch system will be offline for a while, thanks to
> upgrading the mail server from Debian Buster to Debian Bookworm; the
> perl scripts can no longer connect to the SQL server with the totally
> unfathomable complaint:
>
> DBI connect('database=armlinux;host=sql.armlinux.org.uk;mysql_ssl=1;mysql_ssl_ca_file=/etc/local/pki/mysql-cacert.pem;mysql_ssl_verify_server_cert=1',...,...) failed: SSL connection error: Enforcing SSL encryption is not supported
>
> It _looks_ from what the error message seems to be saying that the
> perl DBI folk have *disabled* SSL on database connections... seriously?
> In this day and age where encryption is becoming the norm?
>
> If anyone has any clues, please mail me (privately.)
The problem appears to be that Debian Bookworm regresses the supported
TLS version for DBD::mysql (mariadb) from supporting TLS v1.2 and TLS
v1.3 back to the known-to-be-vulnerable TLS v1.1 !
>From what I can tell, under Debian Buster, mariadb was linked against
gnutls. Under Debian Bookworm, at least the "mysql" utility is *not*
dynamically linked against any SSL library, and appears to refer
internally to "yassl" which I can only assume is some home-grown and
if it only supports up to TLS v1.1, insecure implementation of SSL!
Way to go, Debian! That's quite a step backwards in this modern age.
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
More information about the linux-arm-kernel
mailing list