Troubleshoot OpenSSL 3.0 Connections
Overview
As of SingleStoreDB 8.1, OpenSSL 3.0 is now used to establish secure connections to SingleStoreDB. As a consequence, a client certificate that uses SHA or MD5 hash functions in its signature must be replaced with a certificate that uses SHA256 at a minimum, or a secure connection to SingleStoreDB cannot be established.
There are a few places where cipher suites may be specified:
SingleStoreDB has been configured by explicitly setting the ssl_cipher engine variable, either via the memsql.cnf file or via the sdb-admin update-config command. To resolve this, clear the
ssl_cipher
value so that the defaults are used.SingleStoreDB may be configured to use specific TLS version(s). As such, it is recommended that you check if the TLS version has been set. If it has, you may either remove the value so that the defaults are used, or configure SingleStoreDB with the recommended value of TLSv1.2. While SingleStoreDB supports TLS v1, TLS v1.1, and TLS v1.2, using TLS v1.2 is recommended. When FIPS is enabled, only TLS v1.2 is supported. Refer to Specifying the TLS Version for more information.
A SQL client, such as
mysql
and others, has been configured to use a specific TLS version and/or a cipher suite.To resolve this:
Use the latest version of the SQL client
Confirm that it supports TLS v1.2
Use the SQL client’s defaults
As the SSL configuration may be set in either the application or in the system's OpenSSL configuration file, you may need to check both to determine where the defaults are actually set.
SingleStore recommends using a supported cipher suite.
Check the Cipher Suite
There are two methods you can use to check which hash algorithm is used for the current SSL certificate:
Method 1: Run the following from the command line.
openssl x509 -in cert.pem -text -noout | grep "Signature Algorithm"
Method 2: Check the certificate on a Web site such as this certificate checker.
These tools will confirm which cipher suite is used for the SSL certificate, which must be one of the supported algorithms in Specify a Cipher Suite.
Specify a Cipher Suite
While specifying ciphers isn't recommended, you may ensure that the ciphers you set are from the safe list of ciphers supported by both OpenSSL 1.0 and 3.0, with or without FIPS enabled. Specifically:
Supported Cipher Suite | OpenSSL 1.0 | OpenSSL 3.0 |
AES128-GCM-SHA256 | ✔ | |
AES128-SHA | ✔ | |
AES128-SHA256 | ✔ | |
AES256-GCM-SHA384 | ✔ | |
AES256-SHA | ✔ | |
AES256-SHA256 | ✔ | |
DHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ |
DHE-RSA-AES128-SHA | ✔ | |
DHE-RSA-AES128-SHA256 | ✔ | |
DHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ |
DHE-RSA-AES256-SHA | ✔ | |
DHE-RSA-AES256-SHA256 | ✔ | |
ECDHE-ECDSA-AES128-GCM-SHA256 | ✔ | ✔ |
ECDHE-ECDSA-AES128-SHA | ✔ | |
ECDHE-ECDSA-AES128-SHA256 | ✔ | |
ECDHE-ECDSA-AES256-GCM-SHA384 | ✔ | ✔ |
ECDHE-ECDSA-AES256-SHA | ✔ | |
ECDHE-ECDSA-AES256-SHA384 | ✔ | |
ECDHE-RSA-AES128-GCM-SHA256 | ✔ | ✔ |
ECDHE-RSA-AES128-SHA | ✔ | |
ECDHE-RSA-AES128-SHA256 | ✔ | |
ECDHE-RSA-AES256-GCM-SHA384 | ✔ | ✔ |
ECDHE-RSA-AES256-SHA | ✔ | |
ECDHE-RSA-AES256-SHA384 | ✔ |
Refer to Specifying the TLS Version for more information.
Connect After Upgrading
To connect to SingleStoreDB 8.1, you will need to check for, and may need to create, new certificates that use the recommended ciphers for new clusters and those that have been upgraded to version 8.1.
Plan for the Upgrade
For the clusters running an earlier version of SingleStoreDB:
Create a new test cluster (such as a Cluster in a Box - Linux Host) running SingleStoreDB 8.1.
Attempt to connect to this test cluster with existing clients and application drivers.
If you can connect to this test cluster, delete this cluster as you can safely upgrade your existing cluster(s) to version 8.1.
If you cannot connect to this test cluster due to a connection error:
Update the cipher used in your SSL certificate(s).
Attempt to reconnect to this test cluster.
Once you can successfully connect to this test cluster, delete this cluster as you can safely upgrade your existing cluster(s) to version 8.1.