<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Lato">Hi,<br>
<br>
MariaDB documentation says it accepts OpenSSL cipher strings in
its ssl_cipher parameters like ssl_cipher="TLSv1.2". <br>
This is also mentioned when creating or changing users in terms of
setting this with the REQUIRE CIPHER parameter like CREATE USER
... REQUIRE CIPHER 'TLSv1.2'...<br>
So this is all very nice and also working but sadly whith a
connection string from dovecot it is not working anymore.<br>
If you set the user only on REQUIRE SSL, the ssl connection and
everything is working fine between dovecot and mariaDB.<br>
But when you set REQUIRE CIPHER 'TLSv1.2' in mariaDB and use
ssl_cipher=TLSv1.2 in the connection string from dovecot you get
the following errors, it does not account the various ciphers of
TLSv1.2 but rather expects TLSv1.2 somehow.<br>
<br>
[Note] X509 ciphers mismatch: should be 'TLSv1.2' but is
'DHE-RSA-AES256-GCM-SHA384'<br>
<br>
A good cipher is sent but the cipher cannot be TLSv1.2 of course
:)<br>
But no one will put in explicit ciphers there as this is dangerous
in my eyes, people forget updating... Also this is misbehaviour or
misdocumented.<br>
The thing is now where to address this. Dovecot or MariaDB. <br>
As dovecot seems to use a good cipher and MariaDB expects a
TLSv1.2 string rather than a cipher out of TLSv1.2 I would say
mariaDB but am not sure.<br>
<br>
Maybe Aki could say something to it, would be great.<br>
<br>
Thanks!<br>
<br>
The docs from mariaDB to this are here :<br>
</font><a href="https://mariadb.com/kb/en/library/create-user/">https://mariadb.com/kb/en/library/create-user/</a><br>
<a
href="https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/">https://mariadb.com/kb/en/library/securing-connections-for-client-and-server/</a>
</body>
</html>