Bug #90418 Contribution by Facebook: Fix OpenSSL error codes
Submitted: 12 Apr 2018 23:30 Modified: 15 Aug 2018 14:47
Reporter: FBContrib Admin Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Errors Severity:S3 (Non-critical)
Version:8.0.4 OS:Any
Assigned to: CPU Architecture:Any

[12 Apr 2018 23:30] FBContrib Admin
Description:
Background innformation provided by Facebook:
Abstract:

This fixes how OpenSSL error codes are returned to the application.

The client library was not using OpenSSL error codes correctly; it was using the return value of SSL_get_error rather than ERR_get_error, which made for nonsensical errors.

Before this patch, with a cert signed by an unknown CA, this was the error:

ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

after:

ERROR 2026 (HY000): SSL connection error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Repo: https://github.com/mysql/mysql-server
Patch on top of 8.0.4: https://github.com/mysql/mysql-server/commit/577fbcf856cd693434d554545d499559bcdd3695
Facebook commits: https://github.com/facebook/mysql-5.6/commit/3555caa

How to repeat:
See description

Suggested fix:
See contribution code attached
[12 Apr 2018 23:30] FBContrib Admin
Fix OpenSSL error codes 
(*) This code is contributed under the Facebook agreement

Contribution: fb_patch_41.txt (text/plain), 1.72 KiB.

[14 Aug 2018 13:18] Georgi Kodinov
Posted by developer:
 
FYI, I get the following on the client when trying to do --ssl-mode=verify-ca with the wrong ca cert (before the fix):
Openssl 1.0 and 1.1: 
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
wolfssl 3.14:
ERROR 2026 (HY000): SSL connection error: ASN no signer error to confirm failure
[14 Aug 2018 15:17] Georgi Kodinov
Posted by developer:
 
After the fix:
openssl 1.1: ERROR 2026 (HY000): SSL connection error: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
openssl 1.0: ERROR 2026 (HY000): SSL connection error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
wolfssl 3.14: ERROR 2026 (HY000): SSL connection error: ASN no signer error to confirm failure
[15 Aug 2018 14:47] Paul Dubois
Posted by developer:
 
Fixed in 8.0.13.

The MySQL client library now returns better error messages for
OpenSSL errors. Thanks to Facebook for the patch.
[23 Oct 2018 13:43] Laurynas Biveinis
Duplicate bug 75311 ?