Hi,

MariaDB documentation says it accepts OpenSSL cipher strings in its ssl_cipher parameters like ssl_cipher="TLSv1.2".
This is also mentioned when creating or changing users in terms of setting this with the REQUIRE CIPHER parameter like CREATE USER ... REQUIRE CIPHER 'TLSv1.2'...
So this is all very nice and also working but sadly whith a connection string from dovecot it is not working anymore.
If you set the user only on REQUIRE SSL, the ssl connection and everything is working fine between dovecot and mariaDB.
But when you set REQUIRE CIPHER 'TLSv1.2' in mariaDB and use ssl_cipher=TLSv1.2 in the connection string from dovecot you get the following errors, it does not account the various ciphers of TLSv1.2 but rather expects TLSv1.2 somehow.

[Note] X509 ciphers mismatch: should be 'TLSv1.2' but is 'DHE-RSA-AES256-GCM-SHA384'

A good cipher is sent but the cipher cannot be TLSv1.2 of course :)
But no one will put in explicit ciphers there as this is dangerous in my eyes, people forget updating... Also this is misbehaviour or misdocumented.
The thing is now where to address this. Dovecot or MariaDB.
As dovecot seems to use a good cipher and MariaDB expects a TLSv1.2 string rather than a cipher out of TLSv1.2 I would say mariaDB but am not sure.

Maybe Aki could say something to it, would be great.

Thanks!

The docs from mariaDB to this are here :
https://mariadb.com/kb/en/library/create-user/
https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/