Description:
When the server and client cipher suites don't match this error is returned:

OpenSSL:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

This is not helpful in diagnosing the error. Also nothing is logged to the error log.

YaSSL:
ERROR 2026 (HY000): SSL connection error: protocol version mismatch

This is not helpful, it's not a protocol mismatch, it's a cipher suite mismatch.

How to repeat:
With 5.6.22 with OpenSSL:
$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'\G" --ssl-cipher='AES256-SHA256'
*************************** 1. row ***************************
Variable_name: Ssl_cipher
        Value: AES256-SHA256
*************************** 2. row ***************************
Variable_name: Ssl_cipher_list
        Value: DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA

$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'\G" --ssl-cipher='AES128-SHA256'
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

$ ./my sql -e "SHOW STATUS LIKE 'Ssl%cipher%'\G" --ssl-cipher='AES129-SHA256'
ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use

With 5.6.19 with YaSSL:
$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'" --ssl-cipher=AES256-RMD
+-----------------+------------------------------------------------------------------------+
| Variable_name   | Value                                                                  |
+-----------------+------------------------------------------------------------------------+
| Ssl_cipher      | AES256-RMD                                                             |
| Ssl_cipher_list | DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:AES256-RMD |
+-----------------+------------------------------------------------------------------------+
$ mysql -e "SHOW STATUS LIKE 'Ssl%cipher%'" --ssl-cipher=RC4-MD5
ERROR 2026 (HY000): SSL connection error: protocol version mismatch

Suggested fix:
Replace the error with:
ERROR 2026 (HY000): SSL cipher suite mismatch

Or even better:
ERROR 2026 (HY000): SSL cipher suite mismatch (AES128-SHA256 is not allowed by the server)

And when a invalid cipher is selected on the client:
ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use (AES129-SHA256 is not a known cipher)

Hello Daniël,

Thank you for the report.

Thanks,
Umesh

It looks like the same client side error is generated when the server has a revoked certificate:

SERIAL CERT
0x1    CA
0x2    Server
0x3    Client

$ certtool --crl-info --infile ssl/CAcrl2.pem | grep -A1 'Revoked certificates'
	Revoked certificates (1):
		Serial Number (hex): 02
$ certtool --certificate-info --infile ssl/server-cert.pem | grep 'Serial Number'
	Serial Number (hex): 02
$ ./my sql --ssl-crl=ssl/CAcrl2.pem
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Bug 75311 patch for 5.6

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug75311-5.6.patch (application/octet-stream, text), 2.66 KiB.

Bug 75311 patch for 5.7

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug75311-5.7.patch (application/octet-stream, text), 2.68 KiB.

Bug 75311 patch for 8.0.0

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug75311-8.0.0.patch (application/octet-stream, text), 2.69 KiB.

Uploaded patches ensure that ERR_error_string and ERR_error_string_n are never called with SSL_get_error (whose errors have no relation to ERR_error_string) but with the result of ERR_get_error. This fixes the immediate issue. The patch however only gets one error from the SSL error stack, and ideally the whole SSL error stack should be iterated.

Added 5.7 and 8.0 to the list of versions.

Thanks for the patch!

Bug 75311 fix for 8.0.1

Attachment: bug75311-8.0.1.patch (application/octet-stream, text), 2.67 KiB.

Bug 75311 fix for 5.7, X plugin testsuite

Attachment: bug75311-2-5.7.patch (application/octet-stream, text), 3.42 KiB.

Bug 75311 fix for 8.0.1, X plugin testsuite

Attachment: bug75311-2-8.0.1.patch (application/octet-stream, text), 4.01 KiB.

The previously contributed fixes missed an update for x.connection_tls_version testcase, uploaded its diff.

Bug 75311 fix for 8.0.2

Attachment: bug75311-8.0.2.patch (application/octet-stream, text), 6.33 KiB.

Bug 75311 fix for 8.0.4

Attachment: bug75311-8.0.4.patch (application/octet-stream, text), 7.25 KiB.

8.0.4 patch has been refreshed to take OpenSSL 1.1 changes in the testsuite into account

Bug 75311 fix for 8.0.11

Attachment: bug75311-8.0.11.patch (application/octet-stream, text), 7.58 KiB.

The contributed fix has been updated for 8.0.11. WolfSSL compatibility is not ensured due to bug 91010.

Duplicate bug 90418, fixed in 8.0.13?

Posted by developer:
 
Duplicate of 27855668. And the wolf/yassl part removed by WL#13289/WL#13290.

"Duplicate of 27855668"

What is 27855668 / any pointer?

> What is 27855668 / any pointer?

https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-13.html has this:
"The MySQL client library now returns better error messages for OpenSSL errors. Thanks to Facebook for the patch. (Bug #27855668, Bug #90418)"

The longer number is an Oracle bug number. Some Oracle bugs are visible to Oracle customers via My Oracle Support, some are only visible internally within Oracle.