TLSv1.2 can't be enabled in MySQL 5.7

[ralgozino]

Hello!

I was trying to enable TLSv1.2 in a container based on the mysql:5.7 image, but I get a message saying that:

[Warning] Failed to set up SSL because of the following SSL library error: TLS version is invalid

I can reproduce this doing:
docker run --name sql57 -e MYSQL_ROOT_PASSWORD=example -d mysql:5.7 --ssl --tls-version "TLSv1.2"

The seems to be using OpenSSL, that according to MySQL documentation should be able to handle TLSv1.2.

mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | YES             |
| have_ssl      | YES             |
| ssl_ca        | ca.pem          |
| ssl_capath    |                 |
| ssl_cert      | server-cert.pem |
| ssl_cipher    |                 |
| ssl_crl       |                 |
| ssl_crlpath   |                 |
| ssl_key       | server-key.pem  |
+---------------+-----------------+
9 rows in set (0.00 sec)

Maybe mysql is being compiled linked to an old version of openssl?

[wglambert]

The openssl used is from Debian Stretch's stable repos https://packages.debian.org/stretch/openssl

$ docker run --rm mysql:5.7 openssl version
OpenSSL 1.1.0f  25 May 2017

[yosifkit]

This seems to be a just limitation of the mysql:5.7 image and not in mysql:8.0; perhaps the upstream repo needs to be updated to compile with newer ssl support? (http://repo.mysql.com/apt/debian/).

$ docker run --name sql57 -e MYSQL_ROOT_PASSWORD=example -d mysql:5.7 --ssl
...
$ docker exec -it sql57 bash
root@d20308a71038:/# mysql -uroot -pexample 
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.7.26 MySQL Community Server (GPL)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+---------------+
| Variable_name | Value         |
+---------------+---------------+
| tls_version   | TLSv1,TLSv1.1 |
+---------------+---------------+
1 row in set (0.01 sec)

mysql>

$ docker run --name sql80 -e MYSQL_ROOT_PASSWORD=example -d mysql:8.0 --ssl
...
$ docker exec -it sql80 bash
root@da2c06eb3649:/# ps
bash: ps: command not found
root@da2c06eb3649:/# mysql -uroot -pexample
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.16 MySQL Community Server - GPL

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SHOW GLOBAL VARIABLES LIKE 'tls_version';
+---------------+-----------------------+
| Variable_name | Value                 |
+---------------+-----------------------+
| tls_version   | TLSv1,TLSv1.1,TLSv1.2 |
+---------------+-----------------------+
1 row in set (0.01 sec)

[ltangvald]

This is a limitation in yaSSL (which is what the community edition of 5.7 uses currently); It only supports 1.1

[tianon]

Makes sense, thanks for confirming. ❤️ 👍

(Closing, given there's nothing else we can do here from the image.)