Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HeidiSQL unable to connect to SSL using client certificates #1768

Open
gnd opened this issue Feb 21, 2023 · 1 comment
Open

HeidiSQL unable to connect to SSL using client certificates #1768

gnd opened this issue Feb 21, 2023 · 1 comment

Comments

@gnd
Copy link

gnd commented Feb 21, 2023

Preconditions

  • HeidiSQL version: 12.3.0.6589
  • Database type and version: MariaDB 10.5 (1:10.5.18-0+deb11u1)
  • OS: Windows 11

Describe the bug

HeidiSQL under Windows 11 is unable to use client certificates to connect to a MariaDb instance running on Debian 11. When trying to connect i get an error from HeidiSQL:

SSL connection error: no cipher match. Error 0x80090331 (SEC_E_ALGORITHM_MISMATCH)

On the server side i see that Mariadb sees the client disconnecting:

Warning] Aborted connection 5 to db: 'unconnected' user: 'unauthenticated' host: 'XXX.XXX.XXX.XXX' (This connection closed normally without authentication)

I have tested the connection from another machine, using mariadb-client under Linux and it works well. Following the issue: https://jira.mariadb.org/browse/CONC-527 i have configured the Mariadb server with

ssl-cipher=DEFAULT:@SECLEVEL=1

This results in HeidSQL logging in and the connection working. However, this is not an acceptable solution as SECLEVEL=1 permits also broken SHA1 cryptographich primites.

In order to better understand the issue, i used Wireshark to sniff the connection. It seems like HeidiSQL advertizes a lot of Signature Hash Algorithms during the CLIENT HELLO phase, which are matching with many Signature Hash Algorithms advertised by the SERVER HELLO, however unless the Mariadb server isnt setup with SECLEVEL=1 it closes the connection.

Under SECLEVEL=1 the server advertizes additional Signature Hash Algorithms, from which HeidiSQL chooses the rsa_pkcs1_sha1. In such a case the connection works, however its using a weak signature hash algo and the server allows crypto primitives using SHA1.

Could you please verify why from all possible hashes the rsa_pkcs1_sha1 is chosen ?

To Reproduce

  1. Configure MariaDB server 10.5 on Debian 11 to use SSL, Generate a client certificate and private key and make the connection work from a Linux command line client. Once its working, use the client cert + key for a SSL connection in Windows 11 using HeidiSQL.

One note: if we use just SSL without client certificates, we dont have to lower the SECLEVEL. I think the issue is just in how Heidi chooses the certificate signature algorithm.

Screenshots or Crash reports

HeidiSQl Client Hello:

heidi_hello

Server Hello without SECLEVEL=1:

server_hello_secure

Server Hello with SECLEVEL-1:

server_hello_insecure

As you can see here, HeidiSQL completes the handshake using the rsa_pkcs1_sha1:

cert_exchange_complete
@ansgarbecker
Copy link
Collaborator

Related: #1426 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ansgarbecker @gnd