SSL compression doesn't work

Description

OpenSSL changed the default to "no compression" due to the CRIME/BREACH exploits that depended on information leakage due to compression.

However, the Galera code was not updated to enable compression if specified.

Affects both 5.6 and 5.7

 

$ nmap -sT -PN -p 4130 192.168.86.105 --script ./ssl-enum-ciphers.nse

Starting Nmap 7.01 ( https://nmap.org ) at 2017-06-13 08:17 PDT
Nmap scan report for 192.168.86.105
Host is up (0.000088s latency).
PORT STATE SERVICE
4130/tcp open unknown

ssl-enum-ciphers:

TLSv1.1:

ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

compressors:

NULL

cipher preference: indeterminate

cipher preference error: Too few ciphers supported

TLSv1.2:

ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

compressors:

NULL

cipher preference: indeterminate

cipher preference error: Too few ciphers supported

_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 4.50 seconds

Environment

None

Smart Checklist

Activity

Show:

Julia Vural March 4, 2025 at 9:28 PM

It appears that this issue is no longer being worked on, so we are closing it for housekeeping purposes. If you believe the issue still exists, please open a new ticket after confirming it's present in the latest release.

Vlad Lasky July 8, 2021 at 6:33 AM

I'm using Percona XtraDB Cluster 8.0.23-14.1 and also cannot get SSL compression enabled, not matter what cipher I try.

XtraDB Cluster is generating a lot of traffic between nodes. We really need to reduce this by having SSL compression enabled.

Can we please make the changes needed to re-enable support.

I'm also aware of the CRIME/BREACH exploits, but I think they are mainly a concern for HTTPS web servers on the public Internet that accept requests from anyone and not for this application that involves private communication between XtraDB nodes.

Thanks.

Won't Do

Details

Assignee

Reporter

Labels

Affects versions

Priority

Smart Checklist

Created June 13, 2017 at 3:19 PM
Updated March 4, 2025 at 9:28 PM
Resolved March 4, 2025 at 9:28 PM