Bug #26776 No error log entry when SSL cannot read /dev/random
Submitted: 1 Mar 2007 23:11 Modified: 5 Dec 2007 18:56
Reporter: Kolbe Kegel Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.0.36 OS:Linux (Linux)
Assigned to: CPU Architecture:Any

[1 Mar 2007 23:11] Kolbe Kegel
If the SSL library used by mysqld cannot read from /dev/random or /dev/urandom, clients will fail to connect with "ERROR 2026 (HY000): SSL connection error".

Nothing is placed into the error log in this situation.

This issue first arose when the permission denied error was due to SELinux preventing mysqld from reading these items. (See bug #12676 for more information.)

How to repeat:
- Start MySQL w/ SSL support
- Change privileges for /dev/random and /dev/urandom
- Try to connect to MySQL server w/ SSL

[kolbe@localhost ~]$ cat /etc/my.cnf

[kolbe@localhost ssl]$ sudo chmod 000 /dev/random /dev/urandom
[kolbe@localhost ssl]$ ls -l /dev/random /dev/urandom 
c---------  1 root root 1, 8 Oct 20 09:14 /dev/random
c---------  1 root root 1, 9 Oct 20 16:14 /dev/urandom

[kolbe@localhost ssl]$ mysql --ssl-ca=ca-cert.pem -u root
ERROR 2026 (HY000): SSL connection error
[kolbe@localhost ssl]$ sudo tail -n 10 /var/lib/mysql/*err
070301 08:04:20  mysqld started
070301  8:04:22  InnoDB: Started; log sequence number 0 43655
070301  8:04:22 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.0.36-enterprise-gpl'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Enterprise Server (GPL)

[kolbe@localhost ssl]$ sudo chmod 666 /dev/random /dev/urandom

[kolbe@localhost ssl]$ mysql --ssl-ca=ca-cert.pem -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 17 to server version: 5.0.36-enterprise-gpl

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show status like 'ssl_cipher';
| Variable_name | Value              |
| Ssl_cipher    | DHE-RSA-AES256-SHA | 
1 row in set (0.00 sec)

Suggested fix:
The server should always write something to the error log if it is unable to read from a file or device that it needs to use for some operation.