Bug #29841 OpenSSL-server will not allow YaSSL-clients without certificate
Submitted: 17 Jul 2007 11:20
Reporter: Domas Mituzas
Status: Verified
Category:Server: General Severity:S3 (Non-critical)
Version:5.0-bk, 5.1-bk OS:Any
Assigned to: Target Version:
Tags: openssl, SSL, yassl
Triage: Triaged: D3 (Medium)

[17 Jul 2007 11:20] Domas Mituzas 
Description:
Offspring from Bug#29753

Even if no grants require client certificate, OpenSSL'ish SSL support in MySQL will
reject connections from clients with no certificate:

$ mysql --ssl-ca=...

T@5    : | | <vio_init
T@5    : | | info: ssl: 0x350e170  timeout: 5
T@5    : | | error: SSL_accept failure
T@5    : | | >report_errors
T@5    : | | | error: OpenSSL: error:140890E9:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:tls peer did not respond with certificate
list:s3_srvr.c:1930:

T@5    : | | | error: error: error:00000005:lib(0):func(0):DH lib
T@5    : | | | info: socket_errno: 0
T@5    : | | <report_errors

This is opposite from YaSSL, which allows such connections, unless key requirements are
set in GRANT statement.

How to repeat:
-

Suggested fix:
-
[17 Jul 2007 11:31] Domas Mituzas 
apparently that happens when connecting with YaSSL client. OpenSSL client without
certificates works.
[7 Jan 15:02] Piotr Czachur 
I can confirm that.

Server ( 5.0.68-log) compiled with openssl.

Client (compiled with openssl):
mysql -u slave -h foobar -p --ssl-ca=/dev/null
Enter password: 
Welcome to the MySQL monitor.
Your MySQL connection id is 14
...

Client (compiled with yassl):
mysql -u slave -h foobar -p --ssl-ca=/dev/null
Enter password:
ERROR 2026 (HY000): SSL connection error

Simply wrong.

What I want to add is that debugging of SSL connection errors in MySQL is damn hard.