I can't connect to MariaDB via ssl: no cipher match 0x80090331 (SEC_E_ALGORITHM_MISMATCH)

gurianoff's profile image gurianoff posted 8 months ago in Creating a connection Permalink

Hello. I can't connect to MariaDB via ssl. I'm getting an answer: SSL connection error: no cipher match. Error 0x80090331 (SEC_E_ALGORITHM_MISMATCH).

I tried to enter the data in the "SSL cipher" field, tried to find at least some information on the Internet, but nothing helped. The problem is either in the TLS version or in the fact that the certificate is self-signed. Please help solve the problem.

MariaDB 10.11.6 HeldiSQL 12.7.0.6853 (64 bit) Windows 11 Build 22000

gurianoff's profile image gurianoff posted 8 months ago Permalink

I also tried to connect via MySQL WorkBench - everything connected well without additional manipulations. I couldn't find any difference in the connection settings between the programs.

ansgar's profile image ansgar posted 8 months ago Permalink

At least you're not alone:

v12.7 comes with the latest libmariadb.dll connector library. Can you please check if that's the one you have set in your HeidiSQL session? (not libmysql*)

gurianoff's profile image gurianoff posted 8 months ago Permalink

Oh, thanks for the other links, I didn't see these posts. Yes, it is libmariadb.dll that is installed, when i'am select libmysql.dll (or libmysql-6.1.dll) i'm get: "SSL connection error: unable to get private key".

In fact, I encountered this problem a few years ago, but then I decided to just switch to using MySQLWorkbench, but now I would like to stay with Heldi.

ansgar's profile image ansgar posted 8 months ago Permalink

I pushed a change which may have some effect here. But I'm unsure. Please test the next build 6856.

However, if you can, let us please do further reports and tests in issue #1768. The reporter already hacked into the MySQL connection using Wireshark, which I find quite useful.

gurianoff's profile image gurianoff posted 8 months ago Permalink

Unfortunately, 6856 did not solve the problem.

I don't know as much as the person in the post above. Therefore, if you tell me what information you need, I will try to provide it. I didn’t use Wireshark and don’t know the details, but I tried to attach data similar to the data from your message. However, I couldn't find the Client Key Exchange section no matter how hard I tried. Perhaps I was looking in the wrong place. If possible, tell me how I can find this place? Perhaps this section appears at SES_LEVEL -1, but I have not yet been able to configure it on the server side. If this is an important point, please let me know and I will try to fulfill this and provide more information. Thank you for your help.

3 attachment(s):
  • 1
  • 2
  • 3
gurianoff's profile image gurianoff posted 8 months ago Permalink

This is what I was able to get at the moment

2 attachment(s):
  • 4
  • 5
ansgar's profile image ansgar posted 8 months ago Permalink

I pushed another modification, which you could give a try (build 6858). Two things changed here:

  • mysql_ssl_set() is deprecated, and it was anyway a conveniance function. Next builds set SSL options using mysql_options() and the various MYSQL_OPT_SSL_* options
  • Converted one suspicuous ANSI string to a pointer, for MYSQL_OPT_TLS_VERSION
gurianoff's profile image gurianoff posted 8 months ago Permalink

I ran 6858 and the problem is still here. If necessary, I could give access to my PC so that you can collect the necessary logs or perform debugging.

ansgar's profile image ansgar posted 8 months ago Permalink

It would indeed be good to have a SSL-enabled server and to which I could connect to per HeidiSQL. Probably you could give me (restricted) access to your MariaDB 10 server? You can contact me per mail, see my address on the imprint page.

ansgar's profile image ansgar posted 8 months ago Permalink

Thank you for sending credentials to that MariaDB server.

I just tried a few things in the connection code, but with no luck.

Could it be we're having a server side issue with OpenSSL, like written in CONC-527?

However, his proposed workaround was to lower the security level using SECLEVEL=1 on such servers, so the handshake decides for (insecure) rsa_pkcs1_sha1 or similar.

ansgar's profile image ansgar posted 8 months ago Permalink

I think I got it now. There were two issues, one of them is that older libmysql and all libmariadb are not able to connect to newer SSL-enabled servers. This issue is not in HeidiSQL itself. That's why I just added libmysql from MySQL 8.4.0 to the the nightly built installer.

The other issue was in HeidiSQL, and caused it not to work even with that newer libmysql. This was due to some wrong offsets in the mysql_options() constants, like MYSQL_OPT_USE_REMOTE_CONNECTION. Some of these were removed in MySQL 8, and HeidiSQL still worked with the old offsets.

You can download the nightly built installer to get the newer libmysql:

Description

Please report back if that now works.

@gurianoff: I could not reach your MySQL server since a few days. Justin helped me out with his SSL-enabled server. Thanks to both of you!

gurianoff's profile image gurianoff posted 8 months ago Permalink

It really worked! Thank you very much for continuing to support the product and helping solve problems! You are awesome!

nicolaus.busch's profile image nicolaus.busch posted 6 months ago Permalink

Hi ansgar

We have exactly the same problem on a brand new machine with Ubuntu 22 and MariaDB 10. I have updated HeidiSQL on Windows 11 to 12.8.0.6908, but I still get the same error 0x80090331. Testing locally via console shows that SSL is working, also we can establish a connection using other tools with cipher='DHE-RSA-AES256-SHA'. If we set the SECLEVEL to minimum things work, but that is not really an option outside of testing.

ansgar's profile image ansgar posted 6 months ago Permalink

nicolaus.busch please note v12.8 comes with a newer libmysql 8.4 which you should give a try here.

Also, watch out if lowering the new certificate verification option changes anything here.

344183274-c90c04f8-ccf9-4afe-901f-b82bc857d0d6.png

nicolaus.busch's profile image nicolaus.busch posted 6 months ago Permalink

Ansgar, kudos to you, now I'm in. I got it working changing two things: using libmysql 8.4 instead of libmaria and also the "Verify CA (insecure)" setting which absolutely makes sense here because it's a self-signed certificate. Phantastic support, thank you!

Please login to leave a reply, or register at first.