Bug #33034 SSL has connection failure - ASN signature
Submitted: 6 Dec 2007 11:33 Modified: 27 Jun 2008 16:48
Reporter: Stanisław Pitucha Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.1.22 OS:Linux (CentOS5)
Assigned to: Magnus Blåudd CPU Architecture:Any
Tags: asn, certificate, SSL

[6 Dec 2007 11:33] Stanisław Pitucha
Description:
Connection to both 5.0.45 and 5.1.22 versions from official rpms fails with "SSL connection error" in console and:

T@3    : | | error: SSL_accept failure
T@3    : | | >report_errors
T@3    : | | | error: error: ASN: bad other signature confirmation
T@3    : | | | info: socket_errno: 0
T@3    : | | <report_errors

in server trace log. Certificate is verifiable by openssl and working when signing / encrypting. Issuer is "Equifax Secure Global eBusiness CA-1".

How to repeat:
Certificate causing problems is included in private comment. CA is https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eB...
[7 Feb 2008 7:58] Magnus Blåudd
This is a problem with the yaSSL library reading the cert. Will forward it.
[11 Feb 2008 16:47] Magnus Blåudd
Having a hard time to reproduce. Did you really use the same CA cert on the server and the client?

Could there be CR or CR\LF in the files that are causing this?
[21 May 2008 13:36] Stanisław Pitucha
Both hosts are using the same CA. Files are using only unix linebreaks and are copied over with scp - no CR/LF problems there.
Openssl doesn't see anything wrong in them. It's reproducible all the time on my hosts. Is there any important information I can extract & post here, without giving out the original keys?
[23 May 2008 17:12] Stanisław Pitucha
Just another test: 5.1.24-rc-community-debug

--->8---
| >new_VioSSLFd
| | enter: key_file: '/etc/mysql/server-key.pem'  cert_file: '/etc/mysql/server-cert.pem'  ca_file: '/etc/mysql/ca-cert.pem'  ca_path: 'NULL'  cipher: 'NULL'
--->8---
| >sslaccept
| <sslaccept
| >ssl_do
| | enter: ptr: 0x88fc328, sd: 21  ctx: 0x88fc338
| | >vio_blocking
| | | enter: set_blocking_mode: 1  old_mode: 0
| | | exit: 0
| | <vio_blocking
| | info: ssl: 0x8937f88 timeout: 10
| | error: SSL_connect/accept failure
| | >report_errors
| | | error: error: ASN: bad other signature confirmation
| | | info: socket_errno: 0
| | <report_errors
| | >vio_blocking
| | | enter: set_blocking_mode: 0  old_mode: 1
| | | exit: 0
| | <vio_blocking
| <ssl_do
| error: Failed to accept new SSL connection
--->8---

CA is the same, because now I'm testing on localhost with domain set to cert's value of CN field and config like:

--->8---
[mysqld]
skip-innodb
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

ssl-ca = /etc/mysql/ca-cert.pem
ssl-cert = /etc/mysql/server-cert.pem
ssl-key = /etc/mysql/server-key.pem

[client]
ssl-ca = /etc/mysql/ca-cert.pem
ssl-cert = /etc/mysql/client-cert.pem
ssl-key = /etc/mysql/client-key.pem
--->8---

Certs are readable by openssl without problems.
[27 May 2008 14:51] Magnus Blåudd
The error SIG_OTHER_E is set in extra/yassl/taocryt/src/asn.cpp when it fails to validate the certificates signature.

// Decode a x509v3 Certificate
void CertDecoder::Decode(SignerList* signers, CertType ct)
{
    if (source_.GetError().What()) return;
    DecodeToKey();
    if (source_.GetError().What()) return;

    if (source_.get_index() != sigIndex_)
        source_.set_index(sigIndex_);

    word32 confirmOID = GetAlgoId();
    GetSignature();
    if (source_.GetError().What()) return;

    if ( confirmOID != signatureOID_ ) {
        source_.SetError(SIG_OID_E);
        return;
    }

    if (ct != CA && verify_ && !ValidateSignature(signers))
            source_.SetError(SIG_OTHER_E);
}
[27 May 2008 16:48] Sveta Smirnova
Thank you for the feedback.

Could you please upload all certificates and keys (I mean ssl-ca, ssl-cert and ssl-key for both client and server): we were not able to repeat the problem with our test keys and certificates.
[27 May 2008 16:59] Magnus Blåudd
This error message usually mens that the server fails to validate the client certificate against its(the servers) CA cert.
[27 May 2008 17:04] Magnus Blåudd
Verify the client cert against the CA cert using:

$> openssl verify -CAfile cacert.pem server-cert.pem 
server-cert.pem: OK

$> openssl verify -CAfile Equifax_Secure_Global_eBusiness_CA-1.cer client-cert.pem 
client-cert.pem: /C=SE/ST=Uppsala/L=Uppsala/O=MySQL AB/emailAddress=abstract.mysql.developer@mysql.com
error 20 at 0 depth lookup:unable to get local issuer certificate

^This last one is against our test certs in mysql-test/std_data so it's supposed to fail against that CA cert.
[27 Jun 2008 23:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".