Page MenuHomeMiraheze

Reconfigure TLS settings inside MariaDB
Open, NormalPublic

Description

There seem to be various TLS settings inside MariaDB configuration right now, but it's depending on the wildcard cert (should have a new keypair instead) and no ciphers have been configured yet.

OpenSSL has a preference over yaSSL, although it looks like we're already using the MariaDB version with OpenSSL support compiled, so that's great. The goal of this task is not to require TLS connections yet, just to make it working properly so we can concentrate on the clients afterwards.

Event Timeline

Paladox added a subscriber: Paladox.Jan 16 2019, 19:59
John moved this task from Backlog to Operations on the Goal-2019-Jan-Jun board.Jan 16 2019, 20:05
Paladox triaged this task as High priority.Jan 16 2019, 20:09
Southparkfan lowered the priority of this task from High to Normal.Feb 9 2019, 01:41

We're definitely using OpenSSL for MariaDB 10.2.24, great. First step would be creating a Miraheze CA with easy-rsa.

Ideally we only use TLS 1.3 or later, but the tls_version variable is only available in the 10.4, which is the development version: see also here. Oh well, at least SSLv3 is disabled..

Ciphers? https://cipherli.st recommends EECDH+AESGCM:EDH+AESGCM, though a performance comparison is crucial.