Sign inTry Free

Troubleshoot OpenSSL 3.0 Connections

On this page

Overview

As of SingleStore 8.1, OpenSSL 3.0 is now used to establish secure connections to SingleStore. As a consequence, a client certificate that uses SHA or MD5 hash functions in its signature must be replaced with a certificate that uses SHA256 at a minimum, or a secure connection to SingleStore cannot be established.

There are a few places where cipher suites may be specified:

  • SingleStore has been configured by explicitly setting the ssl_cipher engine variable, either via the memsql.cnf file or via the sdb-admin update-config command. To resolve this, clear the ssl_cipher value so that the defaults are used.

  • SingleStore may be configured to use specific TLS version(s). As such, SingleStore recommends that you check if the TLS version has been set. If it has, you may either remove the value so that the defaults are used, or configure SingleStore with the recommended value of TLSv1.2. While SingleStore supports TLS v1, TLS v1.1, and TLS v1.2, using TLS v1.2 is recommended. When FIPS is enabled, only TLS v1.2 is supported. Refer to Specifying the TLS Version for more information.

  • A SQL client, such as mysql and others, has been configured to use a specific TLS version and/or a cipher suite.

    To resolve this:

    • Use the latest version of the SQL client

    • Confirm that it supports TLS v1.2

    • Use the SQL client’s defaults

  • As the SSL configuration may be set in either the application or in the system's OpenSSL configuration file, you may need to check both to determine where the defaults are actually set.

SingleStore recommends using a supported cipher suite.

Check the Cipher Suite

There are two methods you can use to check which hash algorithm is used for the current SSL certificate:

  • Method 1: Run the following from the command line.

    openssl x509 -in cert.pem -text -noout | grep "Signature Algorithm"

  • Method 2: Check the certificate on a Web site such as this certificate checker.

These tools will confirm which cipher suite is used for the SSL certificate, which must be one of the supported algorithms in Specify a Cipher Suite.

Specify a Cipher Suite

While specifying ciphers isn't recommended, you may ensure that the ciphers you set are from the safe list of ciphers supported by both OpenSSL 1.0 and 3.0, with or without FIPS enabled. Specifically:

Supported Cipher Suite

OpenSSL 1.0

OpenSSL 3.0

AES128-GCM-SHA256

AES128-SHA

AES128-SHA256

AES256-GCM-SHA384

AES256-SHA

AES256-SHA256

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-SHA

DHE-RSA-AES128-SHA256

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-SHA

DHE-RSA-AES256-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-SHA

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES256-SHA384

Refer to Specifying the TLS Version for more information.

Connect After Upgrading

To connect to SingleStore 8.1, you will need to check for, and may need to create, new certificates that use the recommended ciphers for new clusters and those that have been upgraded to version 8.1.

Plan for the Upgrade

For the clusters running an earlier version of SingleStore:

  1. Create a new test cluster (such as a Cluster in a Box - Linux Host) running SingleStore 8.1.

  2. Attempt to connect to this test cluster with existing clients and application drivers.

    1. If you can connect to this test cluster, delete this cluster as you can safely upgrade your existing cluster(s) to version 8.1.

    2. If you cannot connect to this test cluster due to a connection error:

      1. Update the cipher used in your SSL certificate(s).

      2. Attempt to reconnect to this test cluster.

    3. Once you can successfully connect to this test cluster, delete this cluster as you can safely upgrade your existing cluster(s) to version 8.1.

Last modified: March 8, 2024

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK