Showing entries 1 to 10
Displaying posts with tag: openssl (reset)
MariaDB itself is NOT affected by the DROWN vulnerability

Recently a serious vulnerability called DROWN was found. The vulnerability exists in systems that support SSLv2. There is flaw in SSLv2 that could be used to decrypt information over newer SSL protocols such as TLS. More information about the DROWN vulnerability with CVE number CVE-2016-0800 can be found here: The DROWN attack Mitre CVE dictionary […]

The post MariaDB itself is NOT affected by the DROWN vulnerability appeared first on

New in MariaDB Connector/C 3.0 – Part I: SSL

New SSL alternatives SSL connections in previous versions of MariaDB Connector/C based on the OpenSSL library. The OpenSSL heartbleed bug, licensing problems and the lack of supporting different transport layers were the main reasons that we decided to offer SSL alternatives. In addition to OpenSSL the following SSL libraries are supported in Connector/C 3.0: GnuTLS […]

The post New in MariaDB Connector/C 3.0 – Part I: SSL appeared first on

MySQL 5.6.23 Overview and Highlights

MySQL 5.6.23 was recently released (it is the latest MySQL 5.6, is GA), and is available for download here.

For this release, there is 1 “Security Note”, 3 “Functionality Changed”, and 5 “Compilation Notes”, all benign, but let me address them:

  1. Security Note: The linked OpenSSL library for the MySQL Commercial Server has been updated from version 1.0.1j to version 1.0.1k. Issues fixed in the new version are described at
  2. Functionality Changed: Support for the SSL 2.0 and SSL 3.0 protocols has been disabled because they provide weak encryption. (Bug #19820550, Bug #19921150)
  3. Functionality Changed: yaSSL was upgraded to version …
[Read more]
Heartbleed OpenSSL Bug: Impact on ClusterControl Users & Recommendations on How to Protect your Systems

April 10, 2014 By Severalnines


In the wake of recent concerns and debates raised around the Heartbleed bug, we wanted to update Severalnines ClusterControl users on any impact this bug might have on ClusterControl & associated databases and/or applications.




If your ClusterControl's web application has been accessible on the internet, then most likely you have also been exposed to the Heartbleed OpenSSL security bug, see: for more details. 

By default, our database deployment script enables SSL encryption for the Apache web server on the Controller host with a generated private SSL key and a self-signed certificate. SSL encryption is used between the UI and the Controller REST API if you have clusters added with HTTPS, which we do by default. The content that is …

[Read more]
OpenSSL heartbleed CVE-2014-0160 – Data leaks make my heart bleed

The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in

  • 1.0.1
  • 1.0.1a
  • 1.0.1b
  • 1.0.1c
  • 1.0.1d
  • 1.0.1e
  • 1.0.1f

The bug is not present in 1.0.1g, nor is it present in the 1.0.0 branch nor the 0.9.8 branch of OpenSSL some sources report 1.0.2-beta is also affected by this bug at the time of writing, however it is a beta product and I would really recommend not to use beta quality releases for something as fundamentally important as OpenSSL in production.

The bug itself is within the heartbeat extension of OpenSSL (RFC6520). The bug allows an attacker to leak the memory in up to 64k chunks, this is not to say the data being leaked is limited to 64k as the attacker can continually abuse this bug to leak data, until they are satisfied with what has been …

[Read more]
Setting up MySQL SSL on Multiple Machines

Managing SSL certificates for MySQL can be somewhat of a pain, especially when setting it up on multiple machines.

I looked around on the web, and didn’t really run into any mentions of how to do this for multiple machines, so I dug into it a bit more.

If you’ve created the certificates before, you’ll know you get prompted for various bits of information during a couple of the steps (country, state, email).

However, this can be by-passed by using the -batch option with the openssl command.

So, to set this up for multiple servers, just loop through the following 5 commands for your servers:

cd C:\mysql\certs
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -batch -key ca-key.pem > ca-cert.pem
openssl req -newkey rsa:2048 -days 3600 -batch -nodes -keyout server-key.pem >
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem
        -CAkey …
[Read more]
Setting Up SSL For MySQL

I often get asked how to set up and use SSL with MySQL, especially on Windows – I think largely because the manual step-by-step is more geared towards Linux users (though this “how-to” is valid for all – anyone can copy/paste the commands after changing the paths).

So I’ve compiled a concise, yet comprehensive, how-to that I wanted to share with everyone out there who wants to set this up quickly and efficiently.

And for those who haven’t done it, setting up SSL can often seem intimidating, so I want to dispell that myth while I’m at it, and show you how quick and easy it can be to set up SSL for MySQL.

For one, I should mention that I’m using a version where SSL is ‘available’, just ‘DISABLED’ (some versions can be compiled w/out ssl support – so those would not work):

mysql> show global …
[Read more]
how to test the plain and encrypted SMTP/POP3/IMAP and HTTP protocols

In this article I will describe how to test the plain and the encrypted SMTP/POP3/IMAP and HTTP protocols with telnet and the openssl s_client command.

list of references

For a complete list of available commands for the used protocols check the RFCs please:

SMTP sending mail

In the first example I will open a telnet connection to a SMTP Server on …

[Read more]

I found myself with some spare time the other day and decided that my current mysql backup strategy is not the best in the world. The mysql server is a virtual machine in a Brisbane datacenter and it's backed up via a script that calls mysqldump on each installed database and dumps the content to (compressed) files. These files then get sucked down via rdiff-backup.

This is fine in principle, but does mean it's possible for me to lose 24 hours worth of data due to an accidental '--; DROP table students.

A more ideal way would be for the remote sql server to replicate to a local one, on which I can run mysqldump more often without affecting web site performance. (Replication would replicate the DROP table statement too.. :-)

With a bit of a confluence of attending three days of OpenQuery mysql training and needing to regenerate all ssl keys, I thought I should …

[Read more]
LAMP: The mailing lists you *SHOULD* be subscribed to.

The LAMP stack consists of some complicated software, and this software from time to time will develop faults and security flaws. How do you keep yourself informed? Hope that the issues crop up on Digg, Slashdot? Well the best way is to join the Announce lists for each of the LAMP stack components.

The Announce lists are used by the developers of the different components of the LAMP stack to keep users informed of important events, like when a security flaw emerges or a new version of there software is released, etc.

The lists

The first one is dependent on the GNU/Linux distribution your running, in my case it is Archlinux, so I've subscribed to:

Next in the LAMP stack is Apache, and you can find its …

[Read more]
Showing entries 1 to 10