Re: PSV: Patch system offline due to system upgrade

["Russell King (Oracle)" <linux@armlinux.org.uk>]

On Wed, Jun 21, 2023 at 12:53:20PM +0100, Russell King (Oracle) wrote:
> All,
> 
> Sorry, but the patch system will be offline for a while, thanks to
> upgrading the mail server from Debian Buster to Debian Bookworm; the
> perl scripts can no longer connect to the SQL server with the totally
> unfathomable complaint:
> 
> DBI connect('database=armlinux;host=sql.armlinux.org.uk;mysql_ssl=1;mysql_ssl_ca_file=/etc/local/pki/mysql-cacert.pem;mysql_ssl_verify_server_cert=1',...,...) failed: SSL connection error: Enforcing SSL encryption is not supported 
> 
> It _looks_ from what the error message seems to be saying that the
> perl DBI folk have *disabled* SSL on database connections... seriously?
> In this day and age where encryption is becoming the norm?
> 
> If anyone has any clues, please mail me (privately.)

The problem appears to be that Debian Bookworm regresses the supported
TLS version for DBD::mysql (mariadb) from supporting TLS v1.2 and TLS
v1.3 back to the known-to-be-vulnerable TLS v1.1 !

From what I can tell, under Debian Buster, mariadb was linked against
gnutls. Under Debian Bookworm, at least the "mysql" utility is *not*
dynamically linked against any SSL library, and appears to refer
internally to "yassl" which I can only assume is some home-grown and
if it only supports up to TLS v1.1, insecure implementation of SSL!

Way to go, Debian! That's quite a step backwards in this modern age.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel