Proxysql uses default cipher on updating ssl_p2s_cipher to ECDHE-ECDSA-AES256-GCM-SHA384

I need to enable SSL only for front-end connections. Sharing the configuration for better clarity.

±---------------------±------------------------------+
| variable_name | variable_value |
±---------------------±------------------------------+
| mysql-ssl_p2s_cipher | ECDHE-ECDSA-AES256-GCM-SHA384 |
±---------------------±------------------------------+
1 row in set (0.00 sec)

mysql/bin/mysql -uadmin -p -P6032 -h127.0.0.1 -e ‘\s’ | grep -P ‘SSL|Connection’
Connection id: 1441
SSL: Cipher in use is DHE-RSA-AES256-SHA
Connection: 127.0.0.1 via TCP/IP```

From this I could see only default cipher is used in front-end connections.

On explicitly mentioning --ssl --ssl-cipher=ECDHE-ECDSA-AES256-GCM-SHA384
Getting SSL connection error: Failed to set ciphers to use.

Able to connect only with default cipher.

1 Like

I verified this. You should open a bug report with ProxySQL github.

$ mysql -h app -usbuser -psbPass1234# -BN -e '\s' --ssl-cipher="ECDHE-ECDSA-AES256-GCM-SHA384" | grep -P 'SSL|Connection|Server'
mysql: [Warning] Using a password on the command line interface can be insecure.
mysql  Ver 8.0.28-20 for Linux on x86_64 (Percona Server (GPL), Release 20, Revision fd4b5a776a6)
Connection id:		415
SSL:			Cipher in use is TLS_AES_256_GCM_SHA384
Server version:		5.5.30 (ProxySQL)
Connection:		app via TCP/IP
Server characterset:	utf8mb4


# mysql -uadmin -padmin -h 127.0.0.1 -P 6032 -e "show variables like '%ssl%'"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-------------------------------------+--------------------------------+
| Variable_name                       | Value                          |
+-------------------------------------+--------------------------------+
| mysql-have_ssl                      | true                           |
| mysql-session_idle_show_processlist | true                           |
| mysql-show_processlist_extended     | 0                              |
| mysql-ssl_p2s_ca                    | /etc/ssl/mysql/ca.pem          |
| mysql-ssl_p2s_capath                |                                |
| mysql-ssl_p2s_cert                  | /etc/ssl/mysql/client-cert.pem |
| mysql-ssl_p2s_key                   | /etc/ssl/mysql/client-key.pem  |
| mysql-ssl_p2s_cipher                | ECDHE-RSA-AES256-SHA           |
| mysql-ssl_p2s_crl                   |                                |
| mysql-ssl_p2s_crlpath               |                                |
+-------------------------------------+--------------------------------+

2 Likes