https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41862 Bug ID: 41862 Summary: Encrypted database connection breaks with update to Debian 12 Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Installation and upgrade (command-line installer) Assignee: koha-bugs@lists.koha-community.org Reporter: katrin.fischer@bsz-bw.de QA Contact: testopia@bugs.koha-community.org CC: cornelius.hertfelder@bsz-bw.de, markus.john@bsz-bw.de, tomascohen@gmail.com Depends on: 36026 We are currently using the encrypted database connectionas described in Bug 36026 with Koha 24.11.12 under Debian 11 with no issue When updating to Debian 12 the connection breaks with the error message: DBIx::Class::Storage::DBI::catch {...} (): DBI Connection failed: DBI connect('database=koha_instance;host=ourdbhost.de;port=3306;mysql_ssl=1;mysql_ssl_ca_file=/etc/ssl/certs/harica-ca.pem','koha_kohat',...) failed: SSL connection error: Enforcing SSL encryption is not supported at /usr/share/koha/lib/Koha/Database.pm line 75. at /usr/share/koha/lib/Koha/Database.pm line 123 Some additional information: - Database version: 11.8.3-MariaDB-deb12-log (on separate database server, unchanged by update) - DBD::mysql (4.004 ) 4.050 - DB connection can be established through koha-mysql and mysql/mariadb commands We’ve found a workaround editing Database.pm and adding the mysql_ssl_optional option: if ( $driver eq 'mysql' ) { $attr->{mysql_enable_utf8} = 1; + $attr->{mysql_ssl_optional} = 1; } At the same time enforcing encryption through the database user with: ALTER USER ... REQUIRE SSL; We assume that the problem is in DBD::mysql and is related to the way DBD::mysql (or Koha?) is enforcing SSL on the client side. As the workaround shows, DBD::mysql is still able to start a secure connection if it's not enforced that way. ** Related Debian bug report: https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1032074 ** $ perl -MDBD::mysql -e 'print "DBD::mysql=", $DBD::mysql::VERSION, "\n"' DBD::mysql=4.050 $ dpkg -l | egrep 'libdbd-mysql-perl|libmariadb|libmysqlclient' ii libdbd-mysql-perl:amd64 4.050-5+b1 amd64 Perl5 database interface to the MariaDB/MySQL database ii libmariadb3:amd64 1:10.11.14-0+deb12u2 amd64 MariaDB database client library We changed nothing on the database server side during the upgrade of the Koha server from Debian 11 to Debian 12. The database server is on Debian 13 already and everything worked well with Koha 24.11 on Debian 11 but it stopped working with Debian 12. Documentation of DBD::mysql suggests this might not be the ideal solution: https://metacpan.org/pod/DBD::mysql 'Setting mysql_ssl_optional to true disables strict SSL enforcement and makes SSL connection optional. This option opens security hole for man-in-the-middle attacks. Default value is false which means that mysql_ssl set to true enforce SSL encryption. This option was introduced in 4.043 version of DBD::mysql. Due to The BACKRONYM and The Riddle vulnerabilities in libmysqlclient library, enforcement of SSL encryption was not possbile and therefore mysql_ssl_optional=1 was effectively set for all DBD::mysql versions prior to 4.043. Starting with 4.043, DBD::mysql with mysql_ssl=1 could refuse connection to MySQL server if underlaying libmysqlclient library is vulnerable. Option mysql_ssl_optional can be used to make SSL connection vulnerable.' Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36026 [Bug 36026] Add TLS MySQL connection without mutual authentication -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.