Bug #81977 SSL connection error: protocol version mismatch
Submitted: 22 Jun 2016 21:07 Modified: 29 Apr 2017 23:52
Reporter: Alex Mayfield Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Workbench Severity:S3 (Non-critical)
Version:6.3.7 OS:MacOS (10.10)
Assigned to: CPU Architecture:Any

[22 Jun 2016 21:07] Alex Mayfield 
Description:
When I attempt to connect to a particular MySQL server through MySQL Workbench 6.3.7, I get a very peculiar error that I simply do not get on 6.3.4.

The specific error is : SSL connection error: protocol version mismatch

This error only seems to occur with this one particular connection that I could tell, which is TCP/IP tunneled over SSH.  Other connections, including other TCP/IP tunneled over SSH connections, seem to work just fine.  The connection to the MySQL server itself is not SSL, and I ensured that "Use SSL" was set to "No".

If I attempt to create a new connection with the same settings, I get the same error.  For what it's worth, I get a prompt for my ssh key password, but I do not get a MySQL server password prompt.

This problem first appeared in 6.3.6.  I have not yet tested 6.3.5.  Downgrading to 6.3.4 appears to fix the problem.

The remote MySQL server appears to be version 5.1.73-1 (Debian) compiled for debian-linux-gnu   (x86_64), at least according to MySQL Workbench 6.3.4.  The tunneled server is CentOS 7.0.1406.

How to repeat:
Simple, just create a new connection, select "Standard TCP/IP over SSH", fill out the ssh server and MySQL server hostnames and usernames, select the proper SSH key file.
[29 Jun 2016 11:10] MySQL Verification Team 
Thank you for the bug report. Please check if https://bugs.mysql.com/bug.php?id=64870 is related to your case too. Thanks.
[29 Jun 2016 13:31] Alex Mayfield 
I don't believe so.  I don't see any mention of SSH tunnelling in that bug.
[6 Oct 2016 8:00] Andreas Piesk 
Same issue here, version 6.3.4 is the last known working version:

        MySQL Workbench Community (GPL) for Linux/Unix version 6.3.4  revision 0 build 828 (64 bit)
        Configuration Directory: /home/pieska/.mysql/workbench
        Data Directory: /usr/share/mysql-workbench
        Cairo Version: 1.8.8
        OS: Linux 2.6.32-642.6.1.el6.x86_64
        CPU: 4x Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz (2901.000MHz) - 7,39GiB RAM
        Distribution: Red Hat Enterprise Linux Workstation release 6.8 (Santiago)

        Fips mode enabled: no

09:50:27 [INF][     SSH tunnel]: Starting tunnel
09:50:27 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
09:50:27 [INF][     SSH tunnel]: Opening SSH tunnel to bn2pap111.scb.voeb-zvd.intern:22
09:50:28 [INF][     SSH tunnel]: TunnelManager.wait_connection returned OK
09:50:28 [INF][sshtunnel.py:set_keepalive:502]: SSH KeepAlive setting skipped.
09:50:28 [INF][     SSH tunnel]: SSH tunnel connect executed OK
09:50:28 [ERR][  GRTDispatcher]: exception in grt execute_task, continuing: Exception: Access denied for user 'root'@'localhost' (using password: NO)
09:50:28 [ERR][  GRTDispatcher]: worker: task 'execute sql queries' has failed with error:.Access denied for user 'root'@'localhost' (using password: NO)
09:50:43 [INF][      SqlEditor]: Opened connection 'BN2PAP111' to MySQL Community Server (GPL) version 5.6.30-log
09:50:43 [INF][     AutoCCache]: Initializing autocompletion cache for BN2PAP111

Versions 6.3.5 and following are broken:

09:55:47 [INF][      WBContext]: System info:
        MySQL Workbench Community (GPL) for Linux/Unix version 6.3.7 CE build 1199 (64 bit)
        Configuration Directory: /home/pieska/.mysql/workbench
        Data Directory: /usr/share/mysql-workbench
        Cairo Version: 1.8.8
        OS: Linux 2.6.32-642.6.1.el6.x86_64
        CPU: 4x Intel(R) Core(TM) i7-3520M CPU @ 2.90GHz (1200.000MHz) - 7,39GiB RAM
        Distribution: Red Hat Enterprise Linux Workstation release 6.8 (Santiago)

        Fips mode enabled: no

09:55:48 [INF][     SSH tunnel]: Starting tunnel
09:55:48 [INF][     SSH tunnel]: Existing SSH tunnel not found, opening new one
09:55:48 [INF][     SSH tunnel]: Opening SSH tunnel to bn2pap111.scb.voeb-zvd.intern:22
09:55:49 [INF][     SSH tunnel]: TunnelManager.wait_connection returned OK
09:55:49 [INF][sshtunnel.py:set_keepalive:506]: SSH KeepAlive setting skipped.
09:55:49 [INF][     SSH tunnel]: SSH tunnel connect executed OK
09:55:49 [ERR][      SqlEditor]: SqlEditorForm: exception in do_connect method: Exception: SSL connection error: protocol version mismatch
09:55:49 [ERR][  GRTDispatcher]: exception in grt execute_task, continuing: Exception: SSL connection error: protocol version mismatch
09:55:49 [ERR][  GRTDispatcher]: worker: task 'execute sql queries' has failed with error:.SSL connection error: protocol version mismatch
09:55:49 [ERR][    WQE backend]: Got an exception during connection: SSL connection error: protocol version mismatch
09:55:49 [ERR][      SqlEditor]: SQL editor could not be connected: SSL connection error: protocol version mismatch
09:55:49 [ERR][      SqlEditor]: Your connection attempt failed for user 'root' from your host to server at 127.0.0.1:3306:
  SSL connection error: protocol version mismatch

None of m,y connection use SSL:

$ grep -i UseSSL connections.xml 
        <value type="int" key="useSSL">0</value>
        <value type="int" key="useSSL">0</value>
        <value type="int" key="useSSL">0</value>
        <value type="int" key="useSSL">0</value>
        <value type="int" key="useSSL">0</value>
        <value type="int" key="useSSL">0</value>
[6 Oct 2016 11:06] Ewald Kicker 
I think this bug report is related to (or duplicate of) this bug report: http://bugs.mysql.com/bug.php?id=74896
[6 Oct 2016 11:09] Andreas Piesk 
I found the problem in my setup:

The CA-certificate has been expired and the server was configured to use SSL. Even if the connection doesn't use SSL, starting with 6.3.5 the SSL setup must be valid and working. After providing valid certificates i can connect with 6.3.4 and 6.3.7.
[6 Oct 2016 11:20] Ewald Kicker 
@Andreas

>> After providing valid certificates i can connect
do you have a link to documentation about how to do this?
[7 Oct 2016 11:13] Andreas Piesk 
in /etc/my.cnf:
ssl				= on
ssl-ca				= /etc/pki/mysql/testca.crt
ssl-cert			= /etc/pki/mysql/mysql-server.crt
ssl-key				= /etc/pki/mysql/mysql-server.pem

There are many how-tos for creating these x509-cerificates available, for instance http://www.ipsec-howto.org/x595.html.
[7 Oct 2016 16:51] Ewald Kicker 
Creating the files as described in https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html and adding:

ssl = on
ssl-ca = /etc/newcerts/ca.pem
ssl-cert = /etc/newcerts/server-cert.pem
ssl-key = /etc/newcerts/server-key.pem

in /etc/mysql/my.cnf in the [mysqld] section and then a restart of MySQL solved the problem.
[29 Mar 2017 23:52] MySQL Verification Team 
Please try version 6.3.9. Thanks.
[30 Apr 2017 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".