Bug #40141 Unable to establish SSL connection from comunity-release MySQL client to RH M
Submitted: 19 Oct 2008 14:48 Modified: 21 Oct 2008 11:09
Reporter: Nenad Opsenica
Status: Duplicate
Category:Server Severity:S1 (Critical)
Version:5.0.45, 5.0.67 OS:Any (RedHat Linux, Windows)
Assigned to: Target Version:
Tags: SSL, redhat

[19 Oct 2008 14:48] Nenad Opsenica 
Description:
This bug is also reported on RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=467524

Description of problem:

It is not possible to establish SSL connection from comunity-release MySQL
client (downloaded from MySQL site) to RH MySQL server. Both Linux and Windows
community MySQL releases are not able to establish SSL connection to RHEL5
based MySQL server, connection attempt ends with "ERROR 2026 (HY000): SSL
connection error"

It is possible to connect from RH MySQL client to RH MySQL server; 
it is possible to connect from community client to community server; 
it is possible to connect from RH client to community server; 
it is NOT possible to establish SSL connection from community client to RH
server.

Version-Release number of selected component (if applicable):
RH server and/or client: mysql-server-5.0.45-7.el5 (mysql-5.0.45-7.el5)
Community server and/or client: MySQL-server-community-5.0.67-0.rhel5
(MySQL-client-community-5.0.67-0.rhel5); on Windows
mysql-essential-5.0.67-win32.msi

The same thing happens with 5.0.45 community release on Windows
(mysql-essential-5.0.45-win32.msi)

How to repeat:
1. Install mysql-server-5.0.45-7.el5 (RedHat package)
2. Configure SSL - create test CA and generate certificate
(http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html)
3. Install community MySQL-client-community-5.0.67-0.rhel5 (MySQL
site/community downloads)
4. Try to establish SSL connection from community client to RH server

Actual results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
ERROR 2026 (HY000): SSL connection error

Expected results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 5.0.......
...
mysql> \s
...
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
...
[19 Oct 2008 18:19] Valeriy Kravchuk 
Thank you for a problem report. Please, check the results of

mysqlbug

from RedHat's 5.0.45 server. I need configure command line used to build it.
[20 Oct 2008 16:38] Nenad Opsenica 
Output from mysqlbug from RedHat El5 (centos 5.2) server:

>Release:	mysql-5.0.45 (Source distribution)
>Server: /usr/bin/mysqladmin  Ver 8.41 Distrib 5.0.45, for redhat-linux-gnu on i686
Copyright (C) 2000-2006 MySQL AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license

Server version		5.0.45-log
Protocol version	10
Connection		Localhost via UNIX socket
UNIX socket		/var/lib/mysql/mysql.sock
Uptime:			4 min 11 sec

Threads: 1  Questions: 8  Slow queries: 0  Opens: 11  Flush tables: 1  Open tables: 5 
Queries per second avg: 0.032
>C compiler:    gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-14)
>C++ compiler:  g++ (GCC) 4.1.2 20070626 (Red Hat 4.1.2-14)
>Environment:
	<machine, os, target, libraries (multiple lines)>
System: Linux jakovljevic.noc.panline.net 2.6.18-53.1.21.el5 #1 SMP Wed May 28 23:06:10
CEST 2008 i686 athlon i386 GNU/Linux
Architecture: i686

Some paths:  /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Using built-in specs.
Target: i386-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-libgcj-multifile
--enable-languages=c,c++,objc,obj-c++,java,fortran,ada --enable-java-awt=gtk
--disable-dssi --enable-plugin --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre
--with-cpu=generic --host=i386-redhat-linux
Thread model: posix
gcc version 4.1.2 20070626 (Red Hat 4.1.2-14)
Compilation info: CC='gcc'  CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
-fno-strict-aliasing -fwrapv'  CXX='g++'  CXXFLAGS='-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32
-march=i386 -mtune=generic -fasynchronous-unwind-tables -D_GNU_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -fno-strict-aliasing -fwrapv -fno-rtti
-fno-exceptions'  LDFLAGS=''  ASFLAGS=''
LIBC: 
lrwxrwxrwx 1 root root 11 Feb  3  2008 /lib/libc.so.6 -> libc-2.5.so
-rwxr-xr-x 1 root root 1476244 Nov 13  2003 /lib/libc-2.3.2.so
-rwxr-xr-x 1 root root 1589908 Dec  1  2007 /lib/libc-2.5.so
-rw-r--r-- 1 root root 2789404 Nov 30  2007 /usr/lib/libc.a
-rw-r--r-- 1 root root 238 Nov 30  2007 /usr/lib/libc.so
Configure command: ./configure '--build=i686-redhat-linux-gnu'
'--host=i686-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix='
'--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var'
'--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--with-readline' '--with-openssl' '--without-debug' '--enable-shared' '--with-bench'
'--localstatedir=/var/lib/mysql' '--with-unix-socket-path=/var/lib/mysql/mysql.sock'
'--with-mysqld-user=mysql' '--with-extra-charsets=all' '--with-innodb'
'--with-berkeley-db' '--enable-local-infile' '--enable-largefile'
'--enable-thread-safe-client' '--disable-dependency-tracking'
'--with-named-thread-libs=-lpthread' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
-fno-strict-aliasing -fwrapv' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic
-fasynchronous-unwind-tables -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
-fno-strict-aliasing -fwrapv -fno-rtti -fno-exceptions' 'FFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32
-march=i386 -mtune=generic -fasynchronous-unwind-tables'
'build_alias=i686-redhat-linux-gnu' 'host_alias=i686-redhat-linux-gnu'
'target_alias=i386-redhat-linux-gnu'
[21 Oct 2008 11:09] Valeriy Kravchuk 
As OpenSSL is used in that RedHat's binaries, it is likely a duplicate of bug #33050. That
bug if fixed in 5.0.58 and up. So, please, upgrade server to 5.0.67.
[22 Oct 2008 17:13] [ name withheld ] 
No, this is not a duplicate; or at least, updating to 5.0.67 does not fix it.  I built
5.0.67 using --with-yassl
and another copy identically configured except using --with-openssl (the latter is
identical to current Fedora RPMs).  The yassl client will not successfully connect to the
openssl server when attempting SSL, just as described by the OP.  yassl-to-yassl and
openssl-to-openssl work fine (I did not try the fourth combination).  I'm still of the
opinion that this is probably a yassl bug/incompatibility.

Tested on reasonably up-to-date Fedora 9 x86_64 system, with openssl-0.9.8g-9.fc9.x86_64