Bug #67957 Client not able to connect to server which has a ssl-cert that is SHA256
Submitted: 20 Dec 2012 22:18 Modified: 9 Jul 2019 17:15
Reporter: Knut-Sigurd Knuteson Email Updates:
Status: Won't fix Impact on me:
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.5.28 OS:Linux (RHEL 6)
Assigned to: CPU Architecture:Any
Tags: certificate, SHA256, SSL, yassl

[20 Dec 2012 22:18] Knut-Sigurd Knuteson
The 5.5.28 client is unable to connect to a (yaSSL) MySQL server serving a SHA256 certificate.

This problem was first noticed in 5.5.22, at which point we upgraded to 5.5.28 in the hope that this would rectify the problem. It did not.

The problem is not present in 5.5.20 Mysql.

The MySQL artifacts are from the oracle edelivery download site.

The server has no problem starting up with SSL enabled using the SHA256 certificate. In addition, the JDBC driver has no problems connecting. But, neither the command-line client nor replication are able to connect.

The difference between a successful connection vs. a failed connection is easily verified by first creating the certificates with the -sha256 option leading to failure, and second creating them without the option leading to success.

How to repeat:
Install the MySQL Database 5.5.28 RPM for Oracle Linux / RHEL 6 x86 (64bit) V34585-01 downloadable from https://edelivery.oracle.com

Set up certificates using openssl:

openssl genrsa 2048 > ca.key
openssl req -sha256 -new -x509 -nodes -days 1000 -passout pass:pass -key ca.key -out ca.crt -subj "/O=Some Inc/OU=DS/OU=DC/OU=SSA/CN=theCa"

openssl req -sha256 -newkey rsa:2048 -days 1000 -nodes -passout pass:pass -keyout mysql.key -out mysql.req -subj "/O=Some Inc/OU=DS/OU=DC/OU=SSA/CN=`hostname`"
openssl rsa -in mysql.key -out mysql.key
openssl x509 -sha256 -req -in mysql.req -days 1000 -CA ca.crt -CAkey ca.key -set_serial 01 -out mysql.crt

For the server set:

try to connect to the server via the client specifying:

This will fail with the error:
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

Suggested fix:
Based on the returned error it is surmised that the problem lies in the included version of yaSSL. This theory is reinforced by the fact that we had no issues with 5.5.20; but we did with 5.5.22, which is when the yaSSL version was updated.

Something seems to erroneously be leading to the "ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation" error.
[25 Dec 2012 16:40] Sveta Smirnova
Thank you for the report.

I can not repeat described behavior with certificates and key created using tutorial from http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html with modification adding -sha256 to commands (file will be attached shortly:

mysql> \s
../../bin/mysql  Ver 14.14 Distrib 5.5.28, for Linux (x86_64) using  EditLine wrapper

Connection id:		1
Current database:	
Current user:		root@localhost
SSL:			Cipher in use is DHE-RSA-AES256-SHA
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server version:		5.5.28-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial)
Protocol version:	10
Connection:		Localhost via UNIX socket
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	latin1
Conn.  characterset:	latin1
UNIX socket:		/tmp/SSgmBoUmoJ/mysqld.1.sock
Uptime:			1 min 3 sec

Threads: 1  Questions: 4  Slow queries: 0  Opens: 33  Flush tables: 1  Open tables: 26  Queries per second avg: 0.063

Please check these commands and explain why you want to use different way to create certificates and keys.
[25 Dec 2012 16:40] Sveta Smirnova
Script to create keys/certs. Change paths!

Attachment: create_certs.sh (application/x-sh, text), 6.17 KiB.

[26 Dec 2012 18:54] Knut-Sigurd Knuteson
So I tried using the method in the script to generate the certificates. However, the command:

 openssl ca -cert $DIR/ca-cert.pem -policy policy_anything \
    -out $DIR/server-cert.pem -config $DIR/openssl.cnf \
    -batch -passin pass:password \
    -infiles $DIR/server-req.pem

creates a sha1 certificate, which I checked using:

 openssl x509 -text -in $DIR/server-cert.pem

The output shows:

        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption

If I use the commands I gave it will say "sha256WithRSAEncryption".
[26 Dec 2012 19:37] Sveta Smirnova
Thank you for the feedback.

Verified as described. Removing option from openssl x509 -sha256 solves the problem.
[16 Jan 2013 17:15] Dossy Shiobara
I'm experiencing the same symptoms, but with an 2048-bit sha1WithRSAEncryption issued by GoDaddy.

Server is 5.5.27 on Linux (x86_64), client is 5.5.29 for Win32 (x86).

I get this error:

> ERROR 2026 (HY000): SSL connection error: unknown error number

The certificate and CA certificate verifies correctly:

# openssl verify -CAfile /etc/pki/tls/certs/gd_bundle.crt -purpose sslserver /etc/pki/tls/certs/REDACTED.crt 
/etc/pki/tls/certs/REDACTED.crt: OK

The error message is less than helpful in troubleshooting why it's failing.
[17 Jun 2013 13:49] MySQL Verification Team
Bug #69402 marked as duplicate of this one
[11 Apr 2014 19:59] Jsaon Klein
We are replacing all of our certificates on servers that were exposed to SSL Heartbleed.  Our original certificates were previously signed by Comodo with SHA-1.  Our new (reissued) certificates are signed by Comodo with SHA-256.

When we installed the new SSL certificates on our servers, the 5.5.35 clients are suddenly unable to connect to the (yaSSL) MySQL servers serving these new SHA256 certificates.

We are receiving the following error messages:

# mysql client
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

# mysqladmin
error: 'SSL connection error: protocol version mismatch'
[16 Apr 2014 15:58] Bram Matthys
Same here. I can't use our 'real' certificate because it uses a SHA256 hash. Now I have to generate my own (snakeoil) cert.. that's just a pity, really.

This is on 5.5.35
[29 Apr 2014 12:53] Brodey Dover
I'm experiencing this issue on 5.5.37 (ubuntu) with steps that are in production right now.

This should work and yet:
root@ubuntu:/etc/mysql/ssl# mysql -uroot -ptr1m@r@ --ssl-ca=ca-cert.pem --ssl-key=master1-key.pem --ssl-cert=master1-cert.pem 
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

This output would indicate, all is well:
root@ubuntu:/etc/mysql/ssl# openssl verify -CAfile ca-cert.pem master1-cert.pem master2-cert.pem 
master1-cert.pem: OK
master2-cert.pem: OK
[7 May 2014 10:01] Nigel Kukard
Same problem here using GoDaddy, Comodo and StartCom SSL certificates with RSA256.

What a pity.
[7 May 2014 10:41] Nigel Kukard
It seems the error "ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation" is also generated when you try use a plain .crt certificate.

I solved the issue by adding the CA's chain certificate to the end of the crt and pointing ssl-ca to the system ca-certificates.crt file.

Works now with both sha1 and sha2 certificates.

Here is a outline of the steps:
cat mydomain.example.net.crt ca-chain-cert.crt > mydomain.example.net.pem

Here is my config...
[9 Mar 2016 23:53] MySQL Verification Team
The issue is that YaSSL does not support SHA2 until versions 5.5.40, 5.6.11 and higher. Please upgrade to these versions and try again.
[9 Jul 2019 17:12] Paul DuBois
Posted by developer:
This is a yaSSL issue. yaSSL support is removed as of MySQL 5.6.46/5.7.28, so this bug is being closed with no action taken.