How to fix Logjam vulnerability with MySQL

Solution 1:

The MySQL 5.7.6 release notes contain the following:

Security Fix: Due to the LogJam issue (https://weakdh.org/), OpenSSL has changed the Diffie-Hellman key length parameters for openssl-1.0.1n and up. OpenSSL has provided a detailed explanation at http://openssl.org/news/secadv_20150611.txt. To adopt this change in MySQL, the key length used in vio/viosslfactories.c for creating Diffie-Hellman keys has been increased from 512 to 2,048 bits. (Bug #77275, Bug #21221862, Bug #18367167, Bug #21307471)

It appears from this that the DH size was hardcoded to 512 bits in MySQL before 5.7.6 (permanent logjam?). As later versions of OpenSSL reject these weak keys upgrading OpenSSL without upgrading MySQL appears to break things.

Solution 2:

We were able to fix our connection problems by forcing the use of a non-Diffie-Hellman SSL cipher.

  • With our mysql 5.5.42 Linux client we had success with specifying the --ssl-cipher=AES256-SHA command line option, as specified in this bug report.

  • Our (Java7) MySQL 5.1.35 jdbc client, however, did not like that cipher, but worked when we specified enabledSSLCipherSuites=TLS_RSA_WITH_AES_128_CBC_SHA in our connection string, as recommended here.

YMMV