| Bug #79080 | YaSSL does not handle SSL/TLS alerts, resulting in "unknown error number" | ||
|---|---|---|---|
| Submitted: | 2 Nov 2015 20:17 | Modified: | 9 Jul 2019 17:37 |
| Reporter: | Jeremy Cole (Basic Quality Contributor) (OCA) | Email Updates: | |
| Status: | Won't fix | Impact on me: | |
| Category: | MySQL Server: Security: Encryption | Severity: | S3 (Non-critical) |
| Version: | 5.6 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | SSL, yassl | ||
[2 Nov 2015 20:18]
Jeremy Cole
Patch to add alert values to yaSSL::YasslError.
Attachment: yassl_tls_alerts.diff (application/octet-stream, text), 2.21 KiB.
[3 Nov 2015 8:51]
MySQL Verification Team
Hello Jeremy, Thank you for the report and contribution. Thanks, Umesh
[9 Jul 2019 17:37]
Paul DuBois
Posted by developer: This is a yaSSL issue. yaSSL support is removed as of MySQL 5.6.46/5.7.28, so this bug is being closed with no action taken.
Description: The YaSSL function yaSSL::SetErrorString is supposed to translate error numbers into readable text, but it does not correctly support SSL/TLS alerts (RFC 5246 ยง7.2.2 Error Alerts) which are defined in yaSSL::AlertDescription (in extra/yassl/include/yassl_types.hpp) and mentioned in yaSSL::YasslError (in extra/yassl/include/yassl_error.hpp) as: // 10 - 47 from AlertDescription, 0 also close_notify What this ends up meaning is that if a valid TLS alert is received from the peer, instead of a useful message, the user will end up with e.g: ERROR 2026 (HY000): SSL connection error: unknown error number How to repeat: N/A Suggested fix: The solution is to patch support for the yaSSL::AlertDescription values into yaSSL::SetErrorString e.g.: + case bad_record_mac: + strncpy(buffer, "TLS: Received bad_record_mac alert from peer (fatal)", max); + break; So that the user can receive a more useful error message: ERROR 2026 (HY000): SSL connection error: TLS: Received bad_record_mac alert from peer (fatal) This makes it much more reasonable to attempt to diagnose and fix the actual problem.