Troubleshoot OpenSSL 3.0 Connections

Overview

As of SingleStore 8.1, OpenSSL 3.0 is now used to establish secure connections to SingleStore. As a consequence, a client certificate that uses SHA or MD5 hash functions in its signature must be replaced with a certificate that uses SHA256 at a minimum, or a secure connection to SingleStore cannot be established.

There are a few places where cipher suites may be specified:

SingleStore has been configured by explicitly setting the ssl_cipher engine variable, either via the memsql.cnf file or via the sdb-admin update-config command. To resolve this, clear the ssl_cipher value so that the defaults are used.
SingleStore may be configured to use specific TLS version(s). As such, SingleStore recommends that you check if the TLS version has been set. If it has, you may either remove the value so that the defaults are used, or configure SingleStore with the recommended value of TLSv1.2. While SingleStore supports TLS v1, TLS v1.1, and TLS v1.2, using TLS v1.2 is recommended. When FIPS is enabled, only TLS v1.2 is supported. Refer to Specifying the TLS Version for more information.
A SQL client, such as mysql and others, has been configured to use a specific TLS version and/or a cipher suite.

To resolve this:
- Use the latest version of the SQL client
- Confirm that it supports TLS v1.2
- Use the SQL client’s defaults
As the SSL configuration may be set in either the application or in the system's OpenSSL configuration file, you may need to check both to determine where the defaults are actually set.

SingleStore recommends using a supported cipher suite.

Check the Cipher Suite

There are two methods you can use to check which hash algorithm is used for the current SSL certificate:

Method 1: Run the following from the command line.

Shell

openssl x509 -in cert.pem -text -noout | grep "Signature Algorithm"

Method 2: Check the certificate on a Web site such as this certificate checker.

These tools will confirm which cipher suite is used for the SSL certificate, which must be one of the supported algorithms in Specify a Cipher Suite.

Specify a Cipher Suite

While specifying ciphers isn't recommended, you may ensure that the ciphers you set are from the safe list of ciphers supported by both OpenSSL 1.0 and 3.0, with or without FIPS enabled. Specifically:

Supported Cipher Suite	OpenSSL 1.0	OpenSSL 3.0
AES128-GCM-SHA256		✔
AES128-SHA		✔
AES128-SHA256		✔
AES256-GCM-SHA384		✔
AES256-SHA		✔
AES256-SHA256		✔
DHE-RSA-AES128-GCM-SHA256	✔	✔
DHE-RSA-AES128-SHA		✔
DHE-RSA-AES128-SHA256		✔
DHE-RSA-AES256-GCM-SHA384	✔	✔
DHE-RSA-AES256-SHA		✔
DHE-RSA-AES256-SHA256		✔
ECDHE-ECDSA-AES128-GCM-SHA256	✔	✔
ECDHE-ECDSA-AES128-SHA		✔
ECDHE-ECDSA-AES128-SHA256		✔
ECDHE-ECDSA-AES256-GCM-SHA384	✔	✔
ECDHE-ECDSA-AES256-SHA		✔
ECDHE-ECDSA-AES256-SHA384		✔
ECDHE-RSA-AES128-GCM-SHA256	✔	✔
ECDHE-RSA-AES128-SHA		✔
ECDHE-RSA-AES128-SHA256		✔
ECDHE-RSA-AES256-GCM-SHA384	✔	✔
ECDHE-RSA-AES256-SHA		✔
ECDHE-RSA-AES256-SHA384		✔

Refer to Specifying the TLS Version for more information.

Connect After Upgrading

To connect to SingleStore 8.1, you will need to check for, and may need to create, new certificates that use the recommended ciphers for new clusters and those that have been upgraded to version 8.1.

Plan for the Upgrade

For the clusters running an earlier version of SingleStore:

Create a new test cluster (such as a Cluster in a Box - Linux Host) running SingleStore 8.1.
Attempt to connect to this test cluster with existing clients and application drivers.
1. If you can connect to this test cluster, delete this cluster as you can safely upgrade your existing cluster(s) to version 8.1.
2. If you cannot connect to this test cluster due to a connection error:
  1. Update the cipher used in your SSL certificate(s).
  2. Attempt to reconnect to this test cluster.
3. Once you can successfully connect to this test cluster, delete this cluster as you can safely upgrade your existing cluster(s) to version 8.1.

On this page