Bug #79833 Error connecting to SSL enabled instance
Submitted: 4 Jan 2016 12:47 Modified: 27 Apr 2018 13:40
Reporter: Rafael Bos Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:6.3.6 OS:Any
Assigned to: CPU Architecture:Any

[4 Jan 2016 12:47] Rafael Bos 
Description:
Hi,
we have SSL enabled 5.6.27 MySQL instances, using RSA or elliptic curve (EC)ciphers, running on Red Hat 6.5 EL. Replication links, mysql command line client, applications (mostly Perl DBI) are SSL enabled and working. SSL is not required for all DB users. When connecting with Workbench 6.0/6.1/6.2 there's no problem, having "Use SSL if available" enabled or not. Users with Workbench 6.3.6 cannot connect at all to the servers, no matter what "Use SSL" is set to, always getting error:

SSL connection error:
error:00000001:lib(0):func(0):reason(1)

The command-line mysql binary bundled with Workbench 6.3 connects to the instances only after explicitly specifying "--ssl=0"

How to repeat:
Install 6.3.6 and connect to SSL enabled MySQL instance.

Suggested fix:
If "Use SSL" is set to "No" or "If available" (without specified certs/keys) Workbench should connect to the servers.
[13 Jan 2016 23:10] IT Services 
This happens when server runs with an expired certificate.

Setting "Use SSL" = No makes no difference.

Testing connection to a server with a valid cert and "Use SSL" set to No reports SSL being enabled and cipher in use.
[14 Jan 2016 7:48] Rafael Bos 
Thanks for the response, but this does not seem to be the case:

$ openssl x509 -in ca-cert.pem -text -noout
#SNIP
        Validity
            Not Before: Dec  9 14:39:13 2015 GMT
            Not After : Oct 17 14:39:13 2025 GMT
#SNIP
$ openssl x509 -in server-cert.pem -text -noout
#SNIP
        Validity
            Not Before: Dec 10 11:55:05 2015 GMT
            Not After : Oct 18 11:55:05 2025 GMT
#SNIP

Connection to the server with MySQL Workbench using valid client certificates is working with "Use SSL" set to "If available" or "Required". But returns the mentioned error when set to "No" and even still having the cert info filled in.

If I do not specify any cert info error is thrown also for the case of "If available"
[20 Jan 2017 14:38] Rafael Bos 
Hi,
any update on this? 
And looks like the same issue made it to the latest MySQL ODBC connector (used version 5.3.7) as we get the same error

Not quite sure if that's related but as I could see "Switch to SSL after handshake" flag is set always for Workbench 6.3, which is not the case for 6.2 and 6.0
[20 Jan 2017 14:39] Rafael Bos 
Packet inspection

Attachment: MySQL_BUG79833_170120_.txt (text/plain), 7.78 KiB.
[24 Feb 2018 2:31] MySQL Verification Team 
Please try version 6.3.01. Thanks.
[26 Feb 2018 11:28] Rafael Bos 
Hello,
well ... 6.3.10 indeed does not require certificates to be setup when I choose "No" in "Use SSL" select box, though then with "If Avalable", "Required", ... options I'm not able to use SSL connections

When I specify cipher 'ECDH-ECDSA-AES256-SHA' it's failing with "Failed to set ciphers to use" and without an explicit cipher it fails with "Unable to get private key". The same setup of certificates/cipher works in Workbench 6.2.X or 6.3.6
[27 Apr 2018 13:40] Chiranjeevi Battula 
Hello  Rafael Bos,

Thank you for the feedback.
I could not repeat the issue at our end using with MySQL workbench 8.0.11 version.
If you can provide more information, feel free to add it to this bug and change the status back to 'Open'.

Thank you for your interest in MySQL.

Thanks,
Chiranjeevi.