Description:
Mysql 5.1.48 & openssl-1.0.0a compiled with Sun Studio 12 on Solaris 10. Same compilation packaged and deployed on both master and slave. working fine just trying to get replication over ssl setup.
SSL keys and CSR generated on each host respectively; signed by same CA
CA certificate and master's signed cert (along with key, of course) on master
CA certificate and slave's signed cert (along with key, of course) on slave
key is 2048 bit
in master's my.cnf:
ssl-ca = /opt/mysql/certs/CA.crt
ssl-key = /opt/mysql/private/master.key
ssl-cert = /opt/mysql/certs/master.crt
slave's master.info:
15
mysql-bin.001425
44982801
<FQDN of master server>
REPLslavesvr
slavesvrREPL!#
3306
1
1
/opt/mysql/certs/CA.crt
/opt/mysql/certs/slave.crt
DHE-RSA-AES256-SHA
/opt/mysql/private/slave.key
0
From users table on master
mysql> select * from user WHERE User = 'REPLslavesvr';
+----------------------------+---------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections |
+----------------------------+---------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
| % | REPLslavesvr | *19A3D0E44828F58BFFD97C331FE270BA8317B478 | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 |
| <FQDN of slave server> | REPLslavesvr | *19A3D0E44828F58BFFD97C331FE270BA8317B478 | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | Y | N | N | N | N | N | N | N | N | X509 | | | | 0 | 0 | 0 | 0 |
+----------------------------+---------------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+
2 rows in set (0.00 sec)
Slave starts and instantly goes to the following status
+----------------------+---------------+-----------------------------------------------------------------------------------------------------------+
| Slave_IO_State | Last_IO_Errno | Last_IO_Error |
| Connecting to master | 2026 | error connecting to master 'REPLdsdclvwdb@p1clv1d1.edc.cingular.net:3306' - retry-time: 1 retries: 86400 |
+----------------------+---------------+-----------------------------------------------------------------------------------------------------------+
eventually whatever is going on works itself out and...
+----------------------------------+---------------+---------------+
| Slave_IO_State | Last_IO_Errno | Last_IO_Error |
| Waiting for master to send event | 0 | |
+----------------------------------+---------------+---------------+
and as long as the connection is there it's fine... but if it flaps it's back to error 2026.
As a side note I can make it 2026 from the command line. When I execute
bin/mysql --ssl-ca=certs/CA.crt --ssl-cert=certs/slave.crt --ssl-key=private/slave.key -h<FQDN of master server> -uREPLslavesvr -pslavesvrREPL!#
I repeatedly get error 2026 before getting a random connection and then back to 2026. I can do the same thing with other users too. I added in
--ssl-cipher=DHE-RSA-AES256-SHA
and it seems to work more often but not consistently. I performed a 'change master' on the slave to add in the cipher and turned the reconnect time to 1 second, which is why those values are in the slave's master.info
I have seen similiar complaints about this on the internet but no resolution and couldn't find a current bug.
How to repeat:
Configure the same as noted in description
Suggested fix:
Fix SSL implementation