Bug #86816 MySQL Enterprise Workbench 6.3.9 fails to connect to MySQL Server w/ TLS 1.2
Submitted: 23 Jun 2017 15:04 Modified: 4 Mar 2019 10:18
Reporter: Jason Miele Email Updates:
Status: QA review Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:6.3.9 OS:Windows
Assigned to: CPU Architecture:Any
Tags: Enterprise, MySQL Workbench, TLS 1.2

[23 Jun 2017 15:04] Jason Miele 
Description:
MySQL Enterprise Workbench will not connect to MySQL Enterprise Server with SHA2 Certificates.

When MySQL Server is setup with tls-version=1.2 with SHA2 certificates, the MySQL Enterprise Workbench will not connect with SHA2 client certificates (and SHA2 Certificate Authority).  This is unexpected as the Enterprise Workbench is compiled with OpenSSL.  

Note, the same SHA2 certificates and SHA2 certificate authority work with the MySQL Enterprise Server for Linux command line client.  

How to repeat:
1) Setup MySQL Enterprise Server 5.7.18 for Linux with SHA2 certificates and a SHA2 trust.  Most importantly, set tls-version=1.2

2) Setup MySQL Enterprise Workbench 6.3.9 for Windows with SHA2 client cert, client key, and SHA2 certificate authority.  

3) The Enterprise Workbench 6.3.9 for Windows will fail to connect to Enterprise Server 5.7.18 with SHA2 Certs and SHA2 certificate authority.
[23 Jun 2017 15:28] Jason Miele 
It appears that when MySQL Enterprise Server 5.7.18 for Linux is configured with tls_version=1.2, the MySQL Enterprise Workbench 6.3.9 for Windows will not connect at all "SSL connection error: protocol version mismatch".
[29 Jun 2017 2:14] Jason Miele 
SHA2 certificates = SHA256 certificates
[9 Jul 2017 18:25] Jason Miele 
Revised Verification Steps

1) Generate Certs and Keys:
	1a) Generate CA Cert:
		openssl genrsa 2048 > ca-key.pem
		openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem
	1b) Generate Server Cert and Key:
		openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout server-key.pem > server-req.pem
		openssl rsa -in server-key.pem -out server-key.pem
		openssl x509 -sha1 -req -in server-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem
	1c) Generate Client Cert and Key:
		openssl req -sha1 -newkey rsa:2048 -days 730 -nodes -keyout client-key.pem > client-req.pem
		openssl rsa -in client-key.pem -out client-key.pem
		openssl x509 -sha1 -req -in client-req.pem -days 730 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem
2) Install MySQL Server 5.7.18 Enterprise for Linux Generic
3) Configure MySQL Server with the necessary parameters so that is is ready to become an InnoDB Cluster plus:
	tls_version=TLSv1.2
	ssl=ON
	ssl-ca=/certs/ca-cert.pem
	ssl-cert=/certs/server-cert.pem
	ssl-key=/certs/server-key.pem
4) Add a user in MySQL with "REQUIRE SSL" and all privileges (such as the DBA role)
	CREATE USER clientuser@'%' IDENTIFIED BY "###############' REQUIRE SSL;
5) Setup MySQL Enterprise Workbench 6.3.9 for Windows.  
6) Try to connect to the MySQL Enterprise server with the MySQL Enterprise workbench with 'clientuser' (use the client-key.pem, client-cert.pem, and ca-cert.pem for the workbench connection.  Set "use ssl" to "Require" in the workbench connection settings)
7) The Enterprise Workbench 6.3.9 for Windows will fail to connect to the MySQL Enterprise Server 5.7.18 with the popup error: "protocol version mismatch"
[31 Jul 2017 10:32] Chiranjeevi Battula 
Hello  Jason Miele,

Thank you for the bug report and steps.
Verified this behavior on MySQL Workbench in 6.3.9 version

Thanks,
Chiranjeevi.
[4 Jan 2018 16:14] Jason Miele 
Any updates on this?  Not support TLS 1.2 is kind of serious imho.
[13 Apr 2018 14:11] MySQL Verification Team 
on my windows installation of commercial workbench 6.3.10, appears to have been packaged with commercial 5.7.17 mysql.exe and mysqldump.exe BUT a community build of libmysql.dll (yassl).

according to build log I suspect somehting went wrong since 5.7.20 commercial client should have been used?!
[13 Apr 2018 14:38] MySQL Verification Team 
workaround on 6.3.10 commercial workbench.

1. download commercial 5.7.17 server package, mysql-advanced-5.7.17-winx64.zip

2. take the .\lib\libmysql.dll from that and replace the one in workbench folder.

C:\Program Files\MySQL\MySQL Workbench 6.3>ren libmysql.dll libmysql.dll.community

C:\Program Files\MySQL\MySQL Workbench 6.3>copy C:\ade\mysql-advanced-5.7.17-winx64\lib\libmysql.dll .
        1 file(s) copied.

C:\Program Files\MySQL\MySQL Workbench 6.3>MySQLWorkbench.exe
[4 Mar 2019 10:16] Miguel Tadeu Mota 
Posted by developer:
 
This seems to have been a packaging problem. Not happening anymore, since we're only using openssl since 8.0
[10 Mar 2020 16:30] Oracle Zimmerman 
Same issue for Ubuntu install of 6.3.9 & 6.3.10.  Amazon has moved their RDS servers to tls 1.2 only so this will probably be a thorn in many peoples sides. 
 I am on Ubuntu 16.04 LTS which is still a supported OS, but apparently not by Workbench as the 8.* versions only support Ubuntu 18.04+

Help?  Workaround on linux?