| Bug #86828 | MySQL Shell SSL WRONG_VERSION_NUMBER ERROR | ||
|---|---|---|---|
| Submitted: | 26 Jun 2017 17:09 | Modified: | 31 Jul 2017 12:53 |
| Reporter: | Jason Miele | Email Updates: | |
| Status: | Duplicate | Impact on me: | |
| Category: | Shell AdminAPI InnoDB Cluster / ReplicaSet | Severity: | S3 (Non-critical) |
| Version: | 1.0.9 | OS: | Linux |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | InnoDB Cluster, mysql-shell, SSL | ||
[28 Jun 2017 6:24]
MySQL Verification Team
Hi, I could not reproduce this. how did you create the certificate files? I used for e.g. this and it works as expected: openssl genrsa 2048 > ca-key.pem openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem all best bogdan
[28 Jun 2017 11:48]
Jason Miele
openssl -sha256
[29 Jun 2017 16:05]
Jason Miele
Hi, we tried this with your SHA1 certificates and received the same error. Revised step-by-step to reproduce:
How to repeat:
1) Generate Certs and Keys:
1a) Generate CA Cert:
openssl genrsa 2048 > ca-key.pem
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
1b) Generate Server Cert and Key:
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
1c) Generate Client Cert and Key:
openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
2) Install MySQL Server 5.7.18 Enterprise for Linux Generic)
3) Configure MySQL Server with the necessary parameters so that is is ready to become an InnoDB Cluster plus:
tls_version=TLSv1.1,TLSv1.2
ssl=ON
ssl-ca=/certs/ca-cert.pem
ssl-cert=/certs/server-cert.pem
ssl-key=/certs/server-key.pem
4) Add a user in MySQL with "REQUIRE SSL" and all privileges (such as the DBA role)
CREATE USER clientuser@'%' IDENTIFIED BY "###############' REQUIRE SSL;
7) Install MySQL Shell 1.0.9 Enterprise (on the same Linux server)
8) With "MySQL Shell" connect to the MySQL Server using certificates and try to create an InnoDB cluster:
\connect clientuser@##.###.###.###?sslCA=/certs/ca-cert.pem&sslCert=/certs/client-cert.pem&sslKey=/certs/client-key.pem
var myCluster = dba.createCluster('myCluster');
MySQL Shell throws the following error:
Dba.createCluster: ERROR: Error starting cluster: '##.###.###.###@3306' - Lost connect to MySQL server at '##.###.###.###:3306', system error: 1 [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:579) (RuntimeError)
[3 Jul 2017 16:58]
Matthew Lord
Hi Jason, Thank you for trying out InnoDB clusters! The issue here is that you're explicitly overriding the compiled-in default value for tls_version: https://dev.mysql.com/doc/refman/5.7/en/secure-connection-options.html#option_general_tls-... You're using MySQL Community, which is bundled with yaSSL (the OpenSSL license isn't fully GPL compatible). yaSSL only supports TLS versions 1.0 and 1.1 and that is what the compiled in value of tls_version is set to in your binary. You're then overriding that with a superset to include version 1.2, which is a TLS version/protocol that your mysqld server binary doesn't understand. When the client/server negotiation and handshake starts, the highest available/supported protocol listed in the tls_version system variable is used. So in your case 1.2 is chosen as you explicitly added it to the tls_version config variable. But then the mysqld server (via the SSL library used) returns an error because it's not a valid version as far as it knows. It's unaware of that version, and it's no more valid than version 99.12. Each of these points and more is is covered here: https://dev.mysql.com/doc/refman/5.7/en/secure-connection-protocols-ciphers.html All that being said, we've got plenty of room to make the usage of SSL easier, more intuitive, and more streamlined. So please know that we're aware of the general pains there and implementing/discussing various ways to improve related behavior. Best Regards, Matt
[3 Jul 2017 17:08]
Jason Miele
We are using MySQL Enterprise 5.7.18 for Linux Generic > mysqld --version Ver 5.7.18-enterprise-commercial-advanced for linux-glib2.5 on x86_64 (MySQL Enterprise Server - Advanced Edition (Commercial)) > mysqlsh --version MySQL Shell Version 1.0.9 Our MySQL Shell executable was taken from the MySQL Enterprise download V861143-01.zip
[3 Jul 2017 17:13]
Jason Miele
As we are using MySQL Enterprise, setting tls_version=TLSv1.2, should be ok. MySQL Server Enterprise MySQL Workbench Enterprise MySQL Router Enterprise MySQL Shell Enterprise
[3 Jul 2017 17:24]
Jason Miele
Any chance Oracle compiled the incorrect version of MySQL-Shell and labeled it as MySQL-Shell Enterprise? Please double check the contents of V861143-01.zip.
[4 Jul 2017 4:20]
Matthew Lord
Hi Jason, Sorry! I completely missed where you clearly stated that you were using 5.7.18 Enterprise. :) I downloaded the same Server and Shell packages that you're using and checked the SSL/TLS details just to be doubly sure, and I verified that both mysqlsh and mysqld are using OpenSSL. So using TLSv1.1 and TLSv1.2 shouldn't be an issue. We'll have to dig deeper with you, ideally in a support ticket. Thanks again! Matt
[4 Jul 2017 10:49]
MySQL Verification Team
Hi, Matt located the bug in mysqlprovision. Bug's verified. Thanks for the submission! Is there a SR# for this issue? All best Bogdan
[4 Jul 2017 11:08]
Jason Miele
We will work on getting in a SR. While Matt is noodling in shell, perhaps he could address a helpful feature request: https://forums.mysql.com/read.php?177,658552,658552#msg-658552
[4 Jul 2017 11:10]
MySQL Verification Team
:) get that into SR too, fastest way! all best Bogdan
[19 Jul 2017 16:00]
MySQL Verification Team
Matt found the place where this bug actually lives so following bug was open against connector/python: BUG#26484601 - Unable to connect to a MySQL server using TLSv1.2 all best Bogdan
[19 Jul 2017 16:44]
MySQL Verification Team
Duplicate of #87121
[20 Jul 2017 12:38]
Jason Miele
As bug #87121 is not visible, please post an update when fixed. https://bugs.mysql.com/bug.php?id=87121
[28 Jul 2017 18:49]
Jason Miele
Was this fixed in MySQL Shell 1.0.10? (As mentioned, bug #87121 is not publically visible).
[31 Jul 2017 12:53]
MySQL Verification Team
Bug #87121 is not yet fixed, once it is fixed then bug #87121 will be published and appropriate change log details will be made available here - https://dev.mysql.com/doc/relnotes/connector-python/en/news-2-1.html Changing back status to "Duplicate". Thanks, Umesh
[31 Jul 2017 12:55]
MySQL Verification Team
No, the #87121 is not fixed yet. When it get fixed both will be updated. all best Bogdan
Description: MySQL Shell fails to create an InnoDB Cluster over an SSL connection when TLSv1.1 or TLSv1.2 is enforced. How to repeat: 1) Install MySQL Server 5.7.18 Enterprise for Linux Generic) 2) Configure MySQL Server to have "tls_version=TLSv1.1,TLSv1.2" and "ssl=ON" 3) Configure MySQL Server with a private key, public key, and CACerts 4) Configure MySQL Server with the necessary parameters so that is is ready to become an InnoDB Cluster 5) Add a user in MySQL with "REQUIRES SSL" and all privileges (such as the DBA role) 6) Install MySQL Shell 1.0.9 Enterprise (on the same Linux server) 7) With MySQL Shell, connect to the MySQL Server: \connect mydbauser@##.###.###.###?sslCA=<pathToCA>&sslCert=<pathToCert>&sslKey=<pathToKey> 8) Then try to create an InnoDB cluster: var myCluster = dba.createCluster('myCluster'); MySQL Shell will throw the following error: Dba.createCluster: ERROR: Error starting cluster: '##.###.###.###@3306' - Lost connect to MySQL server at '##.###.###.###:3306', system error: 1 [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:579) (RuntimeError)