Bug #86816 | MySQL Enterprise Workbench 6.3.9 fails to connect to MySQL Server w/ TLS 1.2 | ||
---|---|---|---|
Submitted: | 23 Jun 2017 15:04 | Modified: | 4 Mar 2019 10:18 |
Reporter: | Jason Miele | Email Updates: | |
Status: | QA review | Impact on me: | |
Category: | MySQL Workbench | Severity: | S2 (Serious) |
Version: | 6.3.9 | OS: | Windows |
Assigned to: | CPU Architecture: | Any | |
Tags: | Enterprise, MySQL Workbench, TLS 1.2 |
[23 Jun 2017 15:04]
Jason Miele
[23 Jun 2017 15:28]
Jason Miele
It appears that when MySQL Enterprise Server 5.7.18 for Linux is configured with tls_version=1.2, the MySQL Enterprise Workbench 6.3.9 for Windows will not connect at all "SSL connection error: protocol version mismatch".
[29 Jun 2017 2:14]
Jason Miele
SHA2 certificates = SHA256 certificates
[9 Jul 2017 18:25]
Jason Miele
Revised Verification Steps 1) Generate Certs and Keys: 1a) Generate CA Cert: openssl genrsa 2048 > ca-key.pem openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem 1b) Generate Server Cert and Key: openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem 1c) Generate Client Cert and Key: openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem 2) Install MySQL Server 5.7.18 Enterprise for Linux Generic 3) Configure MySQL Server with the necessary parameters so that is is ready to become an InnoDB Cluster plus: tls_version=TLSv1.2 ssl=ON ssl-ca=/certs/ca-cert.pem ssl-cert=/certs/server-cert.pem ssl-key=/certs/server-key.pem 4) Add a user in MySQL with "REQUIRE SSL" and all privileges (such as the DBA role) CREATE USER clientuser@'%' IDENTIFIED BY "###############' REQUIRE SSL; 5) Setup MySQL Enterprise Workbench 6.3.9 for Windows. 6) Try to connect to the MySQL Enterprise server with the MySQL Enterprise workbench with 'clientuser' (use the client-key.pem, client-cert.pem, and ca-cert.pem for the workbench connection. Set "use ssl" to "Require" in the workbench connection settings) 7) The Enterprise Workbench 6.3.9 for Windows will fail to connect to the MySQL Enterprise Server 5.7.18 with the popup error: "protocol version mismatch"
[31 Jul 2017 10:32]
Chiranjeevi Battula
Hello Jason Miele, Thank you for the bug report and steps. Verified this behavior on MySQL Workbench in 6.3.9 version Thanks, Chiranjeevi.
[4 Jan 2018 16:14]
Jason Miele
Any updates on this? Not support TLS 1.2 is kind of serious imho.
[13 Apr 2018 14:11]
MySQL Verification Team
on my windows installation of commercial workbench 6.3.10, appears to have been packaged with commercial 5.7.17 mysql.exe and mysqldump.exe BUT a community build of libmysql.dll (yassl). according to build log I suspect somehting went wrong since 5.7.20 commercial client should have been used?!
[13 Apr 2018 14:38]
MySQL Verification Team
workaround on 6.3.10 commercial workbench. 1. download commercial 5.7.17 server package, mysql-advanced-5.7.17-winx64.zip 2. take the .\lib\libmysql.dll from that and replace the one in workbench folder. C:\Program Files\MySQL\MySQL Workbench 6.3>ren libmysql.dll libmysql.dll.community C:\Program Files\MySQL\MySQL Workbench 6.3>copy C:\ade\mysql-advanced-5.7.17-winx64\lib\libmysql.dll . 1 file(s) copied. C:\Program Files\MySQL\MySQL Workbench 6.3>MySQLWorkbench.exe
[4 Mar 2019 10:16]
Miguel Tadeu Mota
Posted by developer: This seems to have been a packaging problem. Not happening anymore, since we're only using openssl since 8.0
[10 Mar 2020 16:30]
Oracle Zimmerman
Same issue for Ubuntu install of 6.3.9 & 6.3.10. Amazon has moved their RDS servers to tls 1.2 only so this will probably be a thorn in many peoples sides. I am on Ubuntu 16.04 LTS which is still a supported OS, but apparently not by Workbench as the 8.* versions only support Ubuntu 18.04+ Help? Workaround on linux?