.NET 5.0 TLS Errors #904
Comments
|
@bgrainger Is it possible to configure a CipherSuitePolicy directly on the SSL stream? |
|
Manually configuring the CipherSuitesPolicy policy in ServerSession fixes the problem. Still trying to find documentation on what ciphers Aurora supports. @bgrainger What are your thoughts on adding a configuration option to specify a custom cipher suite policy passed to AuthenticateAsClientAsync? Something like... This would enable something like.... |
iamcarbon
changed the title
|
Submitted a PR #905 |
iamcarbon
changed the title
|
Link to .NET Breaking Changes list: https://docs.microsoft.com/en-us/dotnet/core/compatibility/3.1-5.0#default-tls-cipher-suites-for-net-on-linux |
|
@iamcarbon Is modifying the configuration in Obviously there is an advantage to having the library work out-of-the-box with Aurora without extra configuration; I need to research that more. |
|
@bgrainger : Yes, this also works, but forgoes the other benefits of a locked down default policy for the rest of the application. I'm also not sure if this will work when we upgrade our Lambda functions in the future as the openssl.cnf won't be editable there. Another approach would be to allow a CipherSuitesPolicy to be set globally (perhaps off a static setter). This would help users having to edit the openssl.cnf and give them explicit control over what ciphers are negotiated. |
|
Revised the PR to allow defining the DefaultCipherSuitesPolicy on .NET5.0. This provides a super simple hook to configure the cipher suites (and avoid touching the openssl.cnf -- which may not be possible in certain environments). This also eliminates any magic behavior -- which may not be relevant for future Aurora updates. |
Since this setting is connection-specific (more specifically, connection-pool specific), I'm tempted to make it part of the connection string. This would let it be configured without using code, is more like every other connection setting, and would be less "magic" than setting a static property. The downside is that is could be extremely verbose to specify multiple cipher suites. MySqlConnector could support specifying any Some examples: |
|
To reduce connection string verbosity, an additional mechanism could be |
|
MySQL Connector/J uses |
|
In practice, the connection string may not be too verbose; only one (mutually supported) cipher suite needs to be listed in order to establish a connection. That is, the minimal Aurora connection string (for .NET 5.0 on Linux) might just be: So I'm inclined to just go with that (and not implement |
|
A single TlsCipherSuite matching the .NET enum name is also elegant - ensures a strong cipher is used for non-aurora servers - and allows the library to connect to multiple servers in the same process with different settings. ❤️ |
|
Added a PR for this: #907 |
|
The right answer is probably for Aurora to support modern cipher suites 😀 but I'll try to have a beta release for testing available later today. |
|
1.1.1-beta.0.1 is available for download from GHPR; are you able to test with that? https://github.com/mysql-net/MySqlConnector/packages/39735 |
|
Works, and in production now. Thanks again for the thoughtfulness you put into this! |
|
@bgrainger, is there any ETA for this version to be available in nuget? |
|
I can release a non-beta version to NuGet soon (if you can't pull it from GHPR). |
|
@bgrainger I'm experiencing the same issue but connecting to Aurora MySQL 5.6 which only supports TLS v1.0. I'm not sure how to find the correct one (can't find anything useful in AWS doc)... Do you know which one applies here? and how/where to find this info? Thanks in advance UPDATE: I have now provisioned a test aurora MySQL 5.7 cluster and validated that the above works properly with 5.7... No luck on 5.6... Is net5.0 no longer compatible with TLS 1.0? Didn't see anything about it... Also I looked at my Aurora 5.6 server UPDATE 2: I have figured it out... It was not really intuitive but I had to raise the Min Tls version to TLSv1.2 in the openssl.cnf file (I think this is so the list of cipher suites can apply). Then I had to explicitly set the TlsVersion to Tlsv1.0 in the Mysql connection string since Aurora MySQL 5.6 supports only 1.0... OUCH!! But it works! |
|
@bgrainger , thanks so much! really appreciate it. |
|
NuGet version: 1.3.9 @bgrainger i'm having the same issue as @passuied. I have used the same solution which he provides but im receiving the following error The code i run: namespace ConsoleApp1
{
using System;
using System.Data;
using System.Threading.Tasks;
using MySqlConnector;
class Program
{
static void Main(string[] args)
{
while (true)
{
var csb = new MySqlConnectionStringBuilder(
"Server=server;" +
"Port=3306;" +
"Database=Name;" +
"Uid=root;" +
"Pwd=password;" +
"Connection Timeout=360;" +
"default command timeout=340;" +
"TlsVersion=\"TLS 1.0\";" +
"TlsCipherSuites=TLS_DHE_RSA_WITH_AES_256_GCM_SHA384");
using (var connection = new MySqlConnection(csb.ConnectionString))
{
try
{
var command = new MySqlCommand("SELECT 1", connection);
command.CommandType = CommandType.Text;
connection.Open();
command.ExecuteScalar();
Console.WriteLine("success");
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
Task.Delay(10_000).GetAwaiter().GetResult();
}
}
}
}The version of the nuget is 1.3.9 on .net 5.0 This is the dockerfile #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging.
FROM mcr.microsoft.com/dotnet/runtime:5.0 AS base
WORKDIR /app
FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build
WORKDIR /src
COPY ["ConsoleApp1/ConsoleApp1.csproj", "ConsoleApp1/"]
RUN dotnet restore "ConsoleApp1/ConsoleApp1.csproj"
COPY . .
WORKDIR "/src/ConsoleApp1"
RUN dotnet build "ConsoleApp1.csproj" -c Release -o /app/build
FROM build AS publish
RUN dotnet publish "ConsoleApp1.csproj" -c Release -o /app/publish
FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
RUN sed -i "s|CipherString = DEFAULT@SECLEVEL=2|CipherString = ADH-AES128-SHA:ADH-AES128-SHA256:ADH-AES256-SHA256:@SECLEVEL=0|g" /etc/ssl/openssl.cnf
ENTRYPOINT ["dotnet", "ConsoleApp1.dll"]Code example can be found in this attachment: ConsoleApp1.zip The solution from @passuied didn't help also the solution from here: #927 Update: On adding these |
|
Are you connecting to Aurora, or to a privately-hosted MySQL Server?
AFAICT, the connection is failing because your client can't negotiate a secure connection. Check the MySQL Manual on how to configure this: https://dev.mysql.com/doc/refman/5.6/en/encrypted-connection-protocols-ciphers.html#encrypted-connection-protocol-negotiation If you can establish a secure connection with some other client (e.g., MySQL Workbench) execute |
When upgrading to .NET 5.0 on Linux and connecting to Aurora (v5.7), we're getting a OpenSslCryptographicException.
This occurs due to the default TLS cipher suites changing on .NET 5.0 Linux. It can be fixed by providing a custom CipherSuitesPolicy with a less restrictive cipher set.
This is a request to be able to configure the CipherSuitesPolicy (directly, or via a connection string) on .NET5.0.
Stack Trace
.NET Breaking Changes Notes
The text was updated successfully, but these errors were encountered: