Bug #83503 MySQL Workbench (mac) SSL connection error: protocol version mismatch
Submitted: 24 Oct 2016 16:19 Modified: 7 Mar 2017 23:07
Reporter: Lamont Peterson Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:6.3.6 OS:Mac OS X (10.12)
Assigned to: CPU Architecture:Any
Tags: SSL, TLSv1, TLSv1.1, TLSv1.2

[24 Oct 2016 16:19] Lamont Peterson
Description:
We want to only allow TLSv1.2 (and newer, whenever TLSv1.3 is available) for SSL connections to our MySQL servers.  This is the first server for this configuration.

The "setup":

- Using MySQL Workbench v6.3.6 build 511 CE (64bit) on my Mac (macOS 10.12).  OpenSSL version reports "OpenSSL 0.9.8zh 14 Jan 2016" (Check for Updates says this is the most up-to-date version).
- Using MySQL Workbench v6.3.7 build 1199 on Windows 7.
- MySQL Community Edition 5.7.11 from mysql.com yum repos on CentOS 6.  OpenSSL version reports "OpenSSL 1.0.1e-fips 11 Feb 2013"
- Using wildcard SSL certificate (for *.dev.wgu.edu), which is signed by Symantec Class 3 G4 Intermediate CA for the MySQL server.

What works:
- When the "tls_version" variable in the [mysqld] section of the my.cnf file is not set, the MySQL Workbench on both Mac and Windows connects without issue.
= When the "tls_versoin" variable in the [mysqld] section of the my.cnf file is set to TLSv1, the MySQL Workbench on both Mac and Windows connects without issue.

What breaks:
-When the "tls_version" variable in the [mysqld] sections of the my.cnf file is set to TLSv1.1, the MySQL Workbench on Mac cannot connect (Windows still works fine).  On my Mac, Workbench shows "SSL connection error: protocol version mismatch").

When I switch it back to TLSv1.0 or remove the "tls_version" setting, everything works.

Other Notes:
- CentOS 6 OpenSSL on this server doesn't support TLSv1.2; I'll be updating it to get that support or moving it to a CentOS 7 system.
- This is definitely NOT a problem with OpenSSL 0.9.x v OpenSSL 1.0.x generating the certs (e.g., PKCS#1 v. PKCS#8 format for the secret key file) ... it wasn't OpenSSL that was used to generate them back when and since it works with TLSv1 but not TLSv1.1 that kind of thing cannot be the problem.  In other words, this can't be the problem because (a) OpenSSL wasn't involved and (b) it it was that kind of problem, it would be broken every time, not just in this one instance.

How to repeat:
Linux server:
- CentOS 6.
- Install MySQL 5.7.11 from the mysql.com YUM repo.
- Configure to support SSL with a wildcard SHA256 signatures, but the self-signature and the CA signature.
- Include "tls_version=TLSv1.1" in the server SSL config.
Mac client:
- (probably any "modern" version from the past couple of years, all the way to fully up-to-date)
- Install latest MySQL Workbench
- Configure to connect to the server with SSL, using only the CA certificate (which signed the SSL cert, of course) in the connection config.

Test or try to connect to the server from the Mac MySQL client and observe the error.

Suggested fix:
Wish I had a fix.  I have some theories which I have not been able to take time to test (yet?):

- Switch to a newer version of OpenSSL on the Mac, such as installed with home-brew or similar.
- Update server to newer version of OpenSSL which supports TLSv1.2 (perhaps the newer version has some TLSv1.1 fixes which apply?).
- Upgrade server to support TLSv1.2 (newer OpenSSL) and try using TLSv1.2, skipping TLSv1.1 entirely.
[31 Oct 2016 21:02] Lamont Peterson
I have built another server, this one on CentOS 7 with:

- mysql-community-server-5.7.15-1.el7.x86_64
- openssl-1.0.1e-42.el7.9.x86_64

Same problems from the Mac.

This fits with the thought that it's the Mac version of MySQL Workbench which might be using the older "OpenSSL 0.9.8zh 14 Jan 2016" installed on the Mac.  However, since I have other versions of OpenSSL also installed and available (through homebrew), Im hoping there's an easy way to use something which support TLSv1.2 (apparently, the Mac version of OpenSSL, if that's really what's being used, also doesn't support TLSv1.1).

What can I test, info I can gather/provide here?
[7 Feb 2017 23:07] Miguel Solorzano
Please try version 6.3.9. Thanks.
[8 Mar 2017 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".