Bug #75311 Error for SSL cipher is unhelpful
Submitted: 25 Dec 2014 13:34 Modified: 8 Feb 2017 9:48
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.6.22, 5.6.23, 5.7.17, 8.0.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: Cipher, openssl, SSL, tls, usability, yassl

[25 Dec 2014 13:34] Daniël van Eeden
Description:
When the server and client cipher suites don't match this error is returned:

OpenSSL:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

This is not helpful in diagnosing the error. Also nothing is logged to the error log.

YaSSL:
ERROR 2026 (HY000): SSL connection error: protocol version mismatch

This is not helpful, it's not a protocol mismatch, it's a cipher suite mismatch.

How to repeat:
With 5.6.22 with OpenSSL:
$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'\G" --ssl-cipher='AES256-SHA256'
*************************** 1. row ***************************
Variable_name: Ssl_cipher
        Value: AES256-SHA256
*************************** 2. row ***************************
Variable_name: Ssl_cipher_list
        Value: DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA

$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'\G" --ssl-cipher='AES128-SHA256'
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

$ ./my sql -e "SHOW STATUS LIKE 'Ssl%cipher%'\G" --ssl-cipher='AES129-SHA256'
ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use

With 5.6.19 with YaSSL:
$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'" --ssl-cipher=AES256-RMD
+-----------------+------------------------------------------------------------------------+
| Variable_name   | Value                                                                  |
+-----------------+------------------------------------------------------------------------+
| Ssl_cipher      | AES256-RMD                                                             |
| Ssl_cipher_list | DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:AES256-RMD |
+-----------------+------------------------------------------------------------------------+
$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'" --ssl-cipher=RC4-MD5
ERROR 2026 (HY000): SSL connection error: protocol version mismatch

Suggested fix:
Replace the error with:
ERROR 2026 (HY000): SSL cipher suite mismatch

Or even better:
ERROR 2026 (HY000): SSL cipher suite mismatch (AES128-SHA256 is not allowed by the server)

And when a invalid cipher is selected on the client:
ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use (AES129-SHA256 is not a known cipher)
[26 Dec 2014 9:30] Umesh Shastry
Hello Daniël,

Thank you for the report.

Thanks,
Umesh
[1 Jan 2015 14:47] Daniël van Eeden
It looks like the same client side error is generated when the server has a revoked certificate:

SERIAL CERT
0x1    CA
0x2    Server
0x3    Client

$ certtool --crl-info --infile ssl/CAcrl2.pem | grep -A1 'Revoked certificates'
	Revoked certificates (1):
		Serial Number (hex): 02
$ certtool --certificate-info --infile ssl/server-cert.pem | grep 'Serial Number'
	Serial Number (hex): 02
$ ./my sql --ssl-crl=ssl/CAcrl2.pem
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
[7 Feb 2017 14:21] Laurynas Biveinis
Bug 75311 patch for 5.6

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug75311-5.6.patch (application/octet-stream, text), 2.66 KiB.

[7 Feb 2017 14:21] Laurynas Biveinis
Bug 75311 patch for 5.7

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug75311-5.7.patch (application/octet-stream, text), 2.68 KiB.

[7 Feb 2017 14:22] Laurynas Biveinis
Bug 75311 patch for 8.0.0

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug75311-8.0.0.patch (application/octet-stream, text), 2.69 KiB.

[7 Feb 2017 14:24] Laurynas Biveinis
Uploaded patches ensure that ERR_error_string and ERR_error_string_n are never called with SSL_get_error (whose errors have no relation to ERR_error_string) but with the result of ERR_get_error. This fixes the immediate issue. The patch however only gets one error from the SSL error stack, and ideally the whole SSL error stack should be iterated.
[8 Feb 2017 9:48] Daniël van Eeden
Added 5.7 and 8.0 to the list of versions.

Thanks for the patch!
[14 Apr 2017 9:38] Laurynas Biveinis
Bug 75311 fix for 8.0.1

Attachment: bug75311-8.0.1.patch (application/octet-stream, text), 2.67 KiB.

[19 Jun 2017 3:16] Laurynas Biveinis
Bug 75311 fix for 5.7, X plugin testsuite

Attachment: bug75311-2-5.7.patch (application/octet-stream, text), 3.42 KiB.

[19 Jun 2017 3:17] Laurynas Biveinis
Bug 75311 fix for 8.0.1, X plugin testsuite

Attachment: bug75311-2-8.0.1.patch (application/octet-stream, text), 4.01 KiB.

[19 Jun 2017 3:18] Laurynas Biveinis
The previously contributed fixes missed an update for x.connection_tls_version testcase, uploaded its diff.
[4 Aug 2017 19:42] Laurynas Biveinis
Bug 75311 fix for 8.0.2

Attachment: bug75311-8.0.2.patch (application/octet-stream, text), 6.33 KiB.

[2 Feb 2018 5:21] Laurynas Biveinis
Bug 75311 fix for 8.0.4

Attachment: bug75311-8.0.4.patch (application/octet-stream, text), 7.25 KiB.

[2 Feb 2018 5:21] Laurynas Biveinis
8.0.4 patch has been refreshed to take OpenSSL 1.1 changes in the testsuite into account
[13 Jun 2018 12:20] Laurynas Biveinis
Bug 75311 fix for 8.0.11

Attachment: bug75311-8.0.11.patch (application/octet-stream, text), 7.58 KiB.

[13 Jun 2018 12:21] Laurynas Biveinis
The contributed fix has been updated for 8.0.11. WolfSSL compatibility is not ensured due to bug 91010.
[23 Oct 2018 13:44] Laurynas Biveinis
Duplicate bug 90418, fixed in 8.0.13?