Description:
Received the error message in the synopsis after following the instructions in the documentation for generating and configuring MySQL SSL keys.
Interesting behavior: If the client specifies a key and cert in addition to CA cert, the connection fails with the error message. If the client only specifies a CA cert, the connection goes through.
Things I've verified and checked:
* Client and server can read their keyfiles and are not being restricted by Apparmor or similar (on both systems, Apparmor was disabled outright, and the key files chmodded 777)
* Tried generating the keys with a different version of OpenSSL on an older system (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)
* Client and server are on the same network segment and are not firewalled or communication impaired in any way. However, testing reveals the error to happen even on the same host.
* Tried using the OpenSSL client itself to initiate a connection and received:
$ openssl s_client -connect localhost:3306 -cert client-cert.pem -key client-key.pem -CAfile ca-cert.pem
CONNECTED(00000003)
140345601021600:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
How to repeat:
Bring up two fresh Ubuntu 12.04 systems and apt-get upgrade to latest packages. Hostnames and configuration are irrelevant. Install MySQL from Ubuntu apt repos (apt-get install mysql mysql-client).
You should end up with OpenSSL v1.0.1 (14 Mar 2012) and MySQL 5.5.29.
Follow the guide here: http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html, to generate and sign a CA cert, a server cert, and a client cert.
Edit my.cnf, uncommenting and pointing to the location of the files.
Ensure the generated files are readable to the mySQL process by either placing the keys in a location known to AppArmor or disabling AppArmor outright. (apt-get purge apparmor && reboot)
Start up the MySQL server instance, watching /var/log/mysql.err for any indication of SSL connection issues.
Connect to the server with the command line client *without* passing any SSL variables to it to ensure that the configuration is valid.
$ mysql -h localhost -u root -p localhost
> show variables like "%ssl%";
+---------------+--------------------------------------+
| Variable_name | Value |
+---------------+--------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/certs/cacert.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/certs/server-cert.pem |
| ssl_cipher | |
| ssl_key | /var/lib/mysql/certs/server-key.pem |
+---------------+--------------------------------------+
Create a root user with any password.
Next, attempt to connect securely, but only pass a CA cert on the command line:
$ mysql -h localhost -u root -p --ssl-ca=/var/lib/mysql/certs/cacert.pem
This should also succeed. Staus should show a cipher in use:
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.5.29, for debian-linux-gnu (x86_64) using
readline 6.2
Connection id: 53
Current database:
Current user: root@localhost
SSL: Cipher in use is DHE-RSA-AES256-SHA
--
Finally, attempt to connect specifying the client key, client cert, and CA cert. This will fail.
$ mysql -h localhost --ssl-ca=/var/lib/mysql/certs/ca-cert.pem
--ssl-cert=/var/lib/mysql/certs/client-cert.pem
--ssl-key=/var/lib/mysql/certs/client-key.pem -u root -p
ERROR 2026 (HY000): SSL connection error: protocol version mismatch
Suggested fix:
Unknown.
