On 2022-07-20 16:38, Viktor Dukhovni wrote:
On Wed, Jul 20, 2022 at 04:14:44PM -0400, Ben Johnson wrote:
postfix/proxymap[3378003]: warning: connect to mysql server 127.0.0.1:
SSL connection error: error:1425F102:SSL
routines:ssl_choose_client_version:unsupported protocol
These error messages are from the MySQL library, Postfix is just the
messenger.
Ultimately, I cannot seem to determine why Postfix is trying to use
TLS
when connecting to a local MariaDB instance that resides on the same
server, particularly when I have not configured Postfix to do so (at
least not knowingly).
MySQL has a default ("my.cnf") client configuration file. The TLS
settings are likely there.
Postfix's MYSQL_TABLE(5) documentation doesn't seem to contain
anything
relevant to this issue, and in fact, I'm struggling to find any
documentation that describes how Postfix implements TLS when
connecting
to MySQL/MariaDB.
Postfix doesn't implement MySQL over TLS, that's the job of the MySQL
client library.
I'm happy to provide my postfinger output if it seems relevant, but
it's
voluminous, so I figured I'd refrain unless it's requested.
It is not relevant.
# postconf -d | grep tls_high_cipherlist
tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
Not relevant.
1.) Can Postfix be instructed explicitly to use (or not to use) TLS
when
connecting to MySQL/MariaDB over TCP? If so, how?
The only relevant MySQL table defintion setting is "tls_verify_cert",
along with "tls_CAfile" and "tls_CApath". The default for the first
is "no".
2.) If not, how does Postfix decide whether or not to use TLS when
connecting to MySQL/MariaDB?
Postfix does not make this is decision.
3.) If there is no way to prevent Postfix from trying to use TLS when
connecting to MySQL/MariaDB over a TCP connection (assume for the sake
of argument that a socket is not an option, or the database host is
remote), is there a mechanism by which to specify which
ciphers/cipher-suites to use?
Adjust "my.cnf" accordingly, or use "option_file" and/or "option_group"
to give the table a non-default set of parameters.
https://www.postfix.org/mysql_table.5.html
Thank you very much, Viktor.
I appreciate the to-the-point reply, and it helped me identify the
underlying root cause.
As it turns-out, in MariaDB versions 10.4 CS, 10.3 ES, 10.3 CS, 10.2 ES,
10.2 CS, the "require_secure_transport" option does not yet exist for
mysqld. Rather, the "--ssl" option is what controls TLS enforcement, and
crucially, it is enabled *implicitly* if *any* of the following are set:
--ssl-ca=name
--ssl-capath=name
--ssl-cert=name
--ssl-cipher=name
--ssl-key=name
I had set ssl-cert and ssl-key because I wanted to enable
*opportunistic* TLS to secure remote connections from clients for whom
an SSH tunnel was not an option. Little did I know that this would imply
--ssl=on! Setting ssl=off, explicitly, solves the problem for me.
So, this was a MariaDB *server* configuration issue, in the end.
Thanks again!
-Ben
