Bug #75310 Error message for SSL validation failure is not shown for replication
Submitted: 25 Dec 2014 10:59 Modified: 25 Apr 2018 15:14
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:5.6.22 OS:Any
Assigned to: MySQL Verification Team CPU Architecture:Any
Tags: 2026, replication, slave, SSL, tls, usability, Validation

[25 Dec 2014 10:59] Daniël van Eeden
Description:
http://dev.mysql.com/doc/refman/5.6/en/error-messages-client.html#error_cr_ssl_connection_...

Error: 2026 (CR_SSL_CONNECTION_ERROR)
Message: SSL connection error: %s 

When the mysql client is used this error is show as expected:
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

When a slave is used:
2014-12-25 11:32:55 377 [ERROR] Slave I/O: error connecting to master 'repl@127.0.0.1:5622' - retry-time: 60  retries: 1, Error_code: 2026

For the slave only the error code survives. When you try to use perror to get more info this fails:
$ perror 2026
Illegal error code: 2026

If perror would return something like 'Error codes 2xxx are client error codes and are not covered with perror' this would be more helpfull..

Having only the error code makes troubleshooting more complicated than needed.

The full error message is also not that helpfull but narrows it down a bit more.

How to repeat:
On the master the repl user is created:
CREATE USER 'repl'@'127.0.0.1' IDENTIFIED BY 'repl';
GRANT REPLICATION SLAVE ON *.* TO 'repl'@'127.0.0.1' REQUIRE SSL;

This is shown for the MySQL client:
mysql -h 127.0.0.1 -P 5622 -u repl -prepl --ssl-ca=CAcert.pem --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-verify-server-cert
Warning: Using a password on the command line interface can be insecure.
ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure

And for replication:
STOP SLAVE;
CHANGE MASTER TO MASTER_HOST='127.0.0.1',MASTER_PORT=5622,
MASTER_USER='repl',MASTER_PASSWORD='repl',
MASTER_SSL_VERIFY_SERVER_CERT=1,MASTER_SSL=1,
MASTER_SSL_CA='CAcert.pem',
MASTER_SSL_KEY='client-key.pem',
MASTER_SSL_CERT='client-cert.pem', 
MASTER_LOG_FILE='mysql-bin.000001',MASTER_LOG_POS=120;
START SLAVE;
DO SLEEP(1);
SHOW SLAVE STATUS\G

This is shown in SHOW SLAVE STATUS\G
Last_IO_Errno: 2026
Last_IO_Error: error connecting to master 'repl@127.0.0.1:5622' - retry-time: 60  retries: 13

This is shown in the error log for the slave:
2014-12-25 11:32:55 377 [ERROR] Slave I/O: error connecting to master 'repl@127.0.0.1:5622' - retry-time: 60  retries: 1, Error_code: 2026
2014-12-25 11:33:55 377 [ERROR] Slave I/O: error connecting to master 'repl@127.0.0.1:5622' - retry-time: 60  retries: 2, Error_code: 2026

Suggested fix:
1. Show the error message, not only the error code.
2. Make perror return a more useful result and/or more useful error.
3. Add more details to the error message:

SSL connection error: SSL certificate validation failure (CN="notmyserver.example.com", expected="myserver.example.com")
[10 Dec 2017 10:07] Daniël van Eeden
Any reason this bug is not verified?
[25 Apr 2018 15:14] MySQL Verification Team
Hi,

It's not verified as it's not really a bug.

I agree there's not enough data to explain what the issue really is but we are limited here with size, format and number of messages.

behaves more/like the same way in 8.0 too

...
Master_SSL_Verify_Server_Cert: No
                Last_IO_Errno: 1045
                Last_IO_Error: error connecting to master 'rsandbox@127.0.0.1:21219' - retry-time: 60  retries: 1
               Last_SQL_Errno: 0
               Last_SQL_Error:
...

you have more info about the error in the error log I believe that's enough

all best
Bogdan