Bug #40141 Unable to establish SSL connection from comunity-release MySQL client to RH M
Submitted: 19 Oct 2008 12:48 Modified: 26 Apr 2012 19:53
Reporter: Nenad Opsenica Email Updates:
Status: Duplicate Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.45, 5.0.67, 5.5.19 OS:Any (RedHat Linux, Windows)
Assigned to: CPU Architecture:Any
Tags: Contribution, redhat, SSL

[19 Oct 2008 12:48] Nenad Opsenica
Description:
This bug is also reported on RedHat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=467524

Description of problem:

It is not possible to establish SSL connection from comunity-release MySQL
client (downloaded from MySQL site) to RH MySQL server. Both Linux and Windows
community MySQL releases are not able to establish SSL connection to RHEL5
based MySQL server, connection attempt ends with "ERROR 2026 (HY000): SSL
connection error"

It is possible to connect from RH MySQL client to RH MySQL server; 
it is possible to connect from community client to community server; 
it is possible to connect from RH client to community server; 
it is NOT possible to establish SSL connection from community client to RH
server.

Version-Release number of selected component (if applicable):
RH server and/or client: mysql-server-5.0.45-7.el5 (mysql-5.0.45-7.el5)
Community server and/or client: MySQL-server-community-5.0.67-0.rhel5
(MySQL-client-community-5.0.67-0.rhel5); on Windows
mysql-essential-5.0.67-win32.msi

The same thing happens with 5.0.45 community release on Windows
(mysql-essential-5.0.45-win32.msi)

How to repeat:
1. Install mysql-server-5.0.45-7.el5 (RedHat package)
2. Configure SSL - create test CA and generate certificate
(http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html)
3. Install community MySQL-client-community-5.0.67-0.rhel5 (MySQL
site/community downloads)
4. Try to establish SSL connection from community client to RH server

Actual results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
ERROR 2026 (HY000): SSL connection error

Expected results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 5.0.......
...
mysql> \s
...
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
...
[19 Oct 2008 16:19] Valeriy Kravchuk
Thank you for a problem report. Please, check the results of

mysqlbug

from RedHat's 5.0.45 server. I need configure command line used to build it.
[20 Oct 2008 14:38] Nenad Opsenica
Output from mysqlbug from RedHat El5 (centos 5.2) server:

>Release:	mysql-5.0.45 (Source distribution)
>Server: /usr/bin/mysqladmin  Ver 8.41 Distrib 5.0.45, for redhat-linux-gnu on i686
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version		5.0.45-log
Protocol version	10
Connection		Localhost via UNIX socket
UNIX socket		/var/lib/mysql/mysql.sock
Uptime:			4 min 11 sec

Threads: 1  Questions: 8  Slow queries: 0  Opens: 11  Flush tables: 1  Open tables: 5  Queries per second avg: 0.032
>C compiler:    gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-14)
>C++ compiler:  g++ (GCC) 4.1.2 20070626 (Red Hat 4.1.2-14)
>Environment:
	<machine, os, target, libraries (multiple lines)>
System: Linux jakovljevic.noc.panline.net 2.6.18-53.1.21.el5 #1 SMP Wed May 28 23:06:10 CEST 2008 i686 athlon i386 GNU/Linux
Architecture: i686

Some paths:  /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Using built-in specs.
Target: i386-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk --disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --with-cpu=generic --host=i386-redhat-linux
Thread model: posix
gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)
Compilation info: CC='gcc'  CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv'  CXX='g++'  CXXFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -fno-rtti -fno-exceptions'  LDFLAGS=''  ASFLAGS=''
LIBC: 
lrwxrwxrwx 1 root root 11 Feb  3  2008 /lib/libc.so.6 -> libc-2.5.so
-rwxr-xr-x 1 root root 1476244 Nov 13  2003 /lib/libc-2.3.2.so
-rwxr-xr-x 1 root root 1589908 Dec  1  2007 /lib/libc-2.5.so
-rw-r--r-- 1 root root 2789404 Nov 30  2007 /usr/lib/libc.a
-rw-r--r-- 1 root root 238 Nov 30  2007 /usr/lib/libc.so
Configure command: ./configure '--build=i686-redhat-linux-gnu' '--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-readline' '--with-openssl' '--without-debug' '--enable-shared' '--with-bench' '--localstatedir=/var/lib/mysql' '--with-unix-socket-path=/var/lib/mysql/mysql.sock' '--with-mysqld-user=mysql' '--with-extra-charsets=all' '--with-innodb' '--with-berkeley-db' '--enable-local-infile' '--enable-largefile' '--enable-thread-safe-client' '--disable-dependency-tracking' '--with-named-thread-libs=-lpthread' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -fno-rtti -fno-exceptions' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu'
[21 Oct 2008 9:09] Valeriy Kravchuk
As OpenSSL is used in that RedHat's binaries, it is likely a duplicate of bug #33050. That bug if fixed in 5.0.58 and up. So, please, upgrade server to 5.0.67.
[22 Oct 2008 15:13] [ name withheld ]
No, this is not a duplicate; or at least, updating to 5.0.67 does not fix it.  I built 5.0.67 using --with-yassl
and another copy identically configured except using --with-openssl (the latter is identical to current Fedora RPMs).  The yassl client will not successfully connect to the openssl server when attempting SSL, just as described by the OP.  yassl-to-yassl and openssl-to-openssl work fine (I did not try the fourth combination).  I'm still of the opinion that this is probably a yassl bug/incompatibility.

Tested on reasonably up-to-date Fedora 9 x86_64 system, with openssl-0.9.8g-9.fc9.x86_64
[11 Jan 2012 13:58] Honza Horak
Hi, I can confirm this bug is still not solved in the present version 5.5.19, but I've found a solution. This is what happens actually:

RFC 2246 (The TLS Protocol Version 1.0) says (section 7.4.6.): "If no suitable certificate is available, the client should send a certificate message containing no certificates."

However, yassl implementation doesn't send this message at all, but openssl expects the message (at least an empty one).

I've prepared a patch, that fixes it, so a client compiled with yassl is able to establish SSL communication with a server compiled with openssl (will be attached later).

Please, re-open this bug or should I report a new bug report?
[11 Jan 2012 13:59] Honza Horak
proposed patch - yassl should send a message with no certificates

Attachment: mysql-yassl-cert.patch (text/x-patch), 1.94 KiB.

[28 Feb 2012 14:41] Honza Horak
Related to #29841 (maybe duplicate).
[26 Apr 2012 19:53] Sveta Smirnova
Honza,

thank you for the feedback. Yes, this is duplicate of bug #29841. I will add a link to your patch in that report.