Bug #79080 YaSSL does not handle SSL/TLS alerts, resulting in "unknown error number"
Submitted: 2 Nov 2015 20:17 Modified: 9 Jul 2019 17:37
Reporter: Jeremy Cole (Basic Quality Contributor) (OCA) Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S3 (Non-critical)
Version:5.6 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, yassl

[2 Nov 2015 20:17] Jeremy Cole
Description:
The YaSSL function yaSSL::SetErrorString is supposed to translate error numbers into readable text, but it does not correctly support SSL/TLS alerts (RFC 5246 ยง7.2.2 Error Alerts) which are defined in yaSSL::AlertDescription (in extra/yassl/include/yassl_types.hpp) and mentioned in yaSSL::YasslError (in extra/yassl/include/yassl_error.hpp) as:

    // 10 - 47 from AlertDescription, 0 also close_notify

What this ends up meaning is that if a valid TLS alert is received from the peer, instead of a useful message, the user will end up with e.g:

ERROR 2026 (HY000): SSL connection error: unknown error number

How to repeat:
N/A

Suggested fix:
The solution is to patch support for the yaSSL::AlertDescription values into yaSSL::SetErrorString e.g.:

+    case bad_record_mac:
+        strncpy(buffer, "TLS: Received bad_record_mac alert from peer (fatal)", max);
+        break;

So that the user can receive a more useful error message:

ERROR 2026 (HY000): SSL connection error: TLS: Received bad_record_mac alert from peer (fatal)

This makes it much more reasonable to attempt to diagnose and fix the actual problem.
[2 Nov 2015 20:18] Jeremy Cole
Patch to add alert values to yaSSL::YasslError.

Attachment: yassl_tls_alerts.diff (application/octet-stream, text), 2.21 KiB.

[3 Nov 2015 8:51] MySQL Verification Team
Hello Jeremy,

Thank you for the report and contribution.

Thanks,
Umesh
[9 Jul 2019 17:37] Paul DuBois
Posted by developer:
 
This is a yaSSL issue. yaSSL support is removed as of MySQL 5.6.46/5.7.28, so this bug is being closed with no action taken.