Bug #68788 MySQL community utilities cannot connect to MySQL Enterprise with SSL enabled
Submitted: 26 Mar 2013 22:27 Modified: 31 Mar 2014 20:55
Reporter: Jonathan Weaver Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S1 (Critical)
Version:5.6.10 OS:Any
Assigned to: CPU Architecture:Any

[26 Mar 2013 22:27] Jonathan Weaver
Description:
It appears that the MySQL community utilities cannot connect to a MySQL Enterprise 5.6.x server with SSL configured.  This is not an issue when connecting to a 5.5.x Enterprise server with SSL configured.  The client must also be at version 5.6.x for SSL connections to succeed.

This will cause issues if the standard Red Hat packages are installed on a system and SSL connection attempts are made to a MySQL Enterprise 5.6.x server.

I hope that this is an oversight and not the intended design.

How to repeat:
This can be repeated by attempting to connect to a MySQL Enterprise 5.6.x server with SSL configured using a pre-5.6.x MySQL client or a community 5.6.x MySQL client using the "--ssl-ca" parameter.
[27 Mar 2013 17:33] Jonathan Weaver
For clarification in the line "The client must also be at version 5.6.x for SSL connections to succeed", the client that succeeds connecting to an SSL enabled server is the Enterprise client.
[28 Mar 2013 19:04] Jonathan Weaver
I am changing this to a critical issue because I feel it is warranted.
[24 Apr 2013 11:09] MySQL Verification Team
Hello Jonathan,

Thank you for the report.
Verified as described.

Thanks,
Umesh
[24 Apr 2013 11:12] MySQL Verification Team
Test case..

Attachment: 68788.txt (text/plain), 14.01 KiB.

[24 Apr 2013 14:02] MySQL Verification Team
http://bugs.mysql.com/bug.php?id=68787 marked as duplicate of this one.
[8 Jan 2014 17:07] Paul DuBois
Noted in 5.5.37, 5.6.17, 5.7.4 changelogs.

MySQL client programs from a Community Edition distribution could not
connect using SSL to a MySQL server from an Enterprise Edition. This
was due to a difference in certificate handling by yaSSL and OpenSSL
(used for Community and Enterprise, respectively). OpenSSL expected a
blank certificate to be sent when not all of the --ssl-ca,
--ssl-cert, and --ssl-key options were specified, and yaSSL did not
do so. To resolve this, yaSSL has been modified to send a blank
certificate when an option is missing.
[13 Jan 2014 15:13] Paul DuBois
Noted in Connector/C 6.1.4 changelog.
[27 Mar 2014 13:22] Laurynas Biveinis
5.5$ bzr log -r 4574
------------------------------------------------------------
revno: 4574
committer: Anirudh Mangipudi <anirudh.mangipudi@oracle.com>
branch nick: yassl-5.5
timestamp: Wed 2014-01-08 18:31:42 +0530
message:
  Bug#16715064 MYSQL COMMUNITY UTILITIES CANNOT CONNECT TO MYSQL ENTERPRISE
  WITH SSL ENABLED
  Problem:
  It was reported that MySQL community utilities cannot connect to a MySQL
  Enterprise 5.6.x server with SSL configured. We can reproduce the issue
  when we try to connect an MySQL Enterprise Server with a MySQL Client with
  --ssl-ca parameter enabled.
  We get an ERROR 2026 (HY000): SSL connection error: unknown error number.
  
  Solution:
  The root cause of the problem was determined to be the difference in handling
  of the certificates by OpenSSL(Enterprise) and yaSSL(Community). OpenSSL expects
  a blank certificate to be sent when a parameter (ssl-ca, or ssl-cert or ssl-key)
  has not been specified.On the other hand yaSSL doesn't send any certificate and 
  since OpenSSL does not expect this behaviour it returns an Unknown SSL error.
  The issue was resolved by yaSSL adding capability to send blank certificate when
  any of the parameter is missing.
[31 Mar 2014 18:21] Jonathan Weaver
I upgraded to 5.6.17 on a test database server and attempted to connect with the following client versions.  Are there any additional tasks that must be completed after the upgrade to support older clients or is this the expected result?

MYSQL COMMAND
---------------------------------------------------------------------
mysql.exe --host=<host> --port=<port> --user=<user> --ssl-ca=<ssl-ca> -p

VERSION  PLATFORM   BITNESS  RESULT
-------  ---------  -------  ----------------------------------------
5.1.73   win        64       ERROR 2026 (HY000): SSL connection error
5.5.8    win        64       ERROR 2026 (HY000): SSL connection error
5.5.37   win        64       Connected Successfully
5.6.13   win        32       Connected Successfully
[31 Mar 2014 20:55] Jonathan Weaver
I am closing this again.  Oracle support confirmed that this is the expected behavior.  Client versions older than 5.5.37 will not include this bug fix.
[15 Apr 2014 11:52] Arnaud Adant
Problem seen with WB 6.1.4 and MySQL 5.6.17 enterprise.