Bug #91552 Socket connection will try to use SSL, but it will fails.
Submitted: 5 Jul 2018 5:55 Modified: 23 Jun 2022 20:55
Reporter: - - Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / Python Severity:S1 (Critical)
Version:8.0.11, 8.0.12 OS:CentOS (7.5)
Assigned to: CPU Architecture:Any

[5 Jul 2018 5:55] - - 
Description:
When I try to connect to an local database server via socket then the python connector will try to use an ssl secured session.
But this fails, when the sever will use TLS1.2 ciphers only.

How to repeat:
Configure this setting on the server for the mysqld process:
sl_cert=/etc/pki/tls/certs/mariadb.crt
ssl_key=/etc/pki/tls/private/mariadb.key
ssl_ca=/etc/pki/tls/certs/foo_certificate_chain.crt
ssl_cipher=ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384

Try to connect via socket from python:
import mysql.connector as db_connector
db_connection = db_connector.connect(user='root', password=root_pw, unix_socket=socket_path, database='mysql')

It will fail with:
Can't connect to the database. Lost connection to MySQL server at '/var/lib/mysql/mysql.sock', system error: 1 [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:600)

Suggested fix:
Don't use SSL for socket communication.
The mysql tool don't use it for sockets:
status:
Current user:		root@localhost
SSL:			Not in use
Connection:		Localhost via UNIX socket
UNIX socket:		/var/lib/mysql/mysql.sock

So why will the python connector will try this?
[5 Jul 2018 7:23] MySQL Verification Team 
Hello!

Thank you for the report!

Thanks,
Umesh
[3 Sep 2018 9:19] MySQL Verification Team 
-- 8.0.12

rm -rf 92260/
bin/mysqld --defaults-file=./92260.cnf --initialize-insecure --log-error-verbosity=3
bin/mysqld --defaults-file=./92260.cnf --core-file --socket=/tmp/mysql_ushastry.sock --port=3333 --log-error=$PWD/92260/log.err 2>&1 &

[root@BugCentOS7 Downloads]# rpm -qa|grep mysql-connector-python
mysql-connector-python-cext-8.0.12-1.el7.x86_64
mysql-connector-python-8.0.12-1.el7.x86_64

[ushastry@BugCentOS7 mysql-8.0.12]$ cat 92260.cnf 
[mysqld]
datadir=/home/ushastry/Downloads/mysql-8.0.12/92260
basedir=/home/ushastry/Downloads/mysql-8.0.12
ssl-ca=/home/ushastry/Downloads/mysql-8.0.12/newcert/ca.pem
ssl-cert=/home/ushastry/Downloads/mysql-8.0.12/newcert/server-cert.pem
ssl-key=/home/ushastry/Downloads/mysql-8.0.12/newcert/server-key.pem
ssl_cipher=ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384

[ushastry@BugCentOS7 mysql-8.0.12]$ bin/mysql -uroot -S /tmp/mysql_ushastry.sock
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.12 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create user 'ushastry'@'localhost' identified by '123' require SSL;
Query OK, 0 rows affected (0.07 sec)

mysql> grant all on *.* to 'ushastry'@'localhost';
Query OK, 0 rows affected (0.03 sec)

mysql> show variables like 'ssl%';
+---------------+---------------------------------------------------------------+
| Variable_name | Value                                                         |
+---------------+---------------------------------------------------------------+
| ssl_ca        | /home/ushastry/Downloads/mysql-8.0.12/newcert/ca.pem          |
| ssl_capath    |                                                               |
| ssl_cert      | /home/ushastry/Downloads/mysql-8.0.12/newcert/server-cert.pem |
| ssl_cipher    |                                                               |
| ssl_crl       |                                                               |
| ssl_crlpath   |                                                               |
| ssl_fips_mode | OFF                                                           |
| ssl_key       | /home/ushastry/Downloads/mysql-8.0.12/newcert/server-key.pem  |
+---------------+---------------------------------------------------------------+
8 rows in set (0.02 sec)

mysql> \q
Bye

>>> db_connection = db_connector.connect(user='ushastry', password='123', unix_socket='/tmp/mysql_ushastry.sock', database='mysql',use_pure='true')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/site-packages/mysql/connector/__init__.py", line 173, in connect
    return MySQLConnection(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/mysql/connector/connection.py", line 102, in __init__
    self.connect(**kwargs)
  File "/usr/lib64/python2.7/site-packages/mysql/connector/abstracts.py", line 731, in connect
    self._open_connection()
  File "/usr/lib64/python2.7/site-packages/mysql/connector/connection.py", line 248, in _open_connection
    self._ssl)
  File "/usr/lib64/python2.7/site-packages/mysql/connector/connection.py", line 158, in _do_auth
    ssl_options.get('cipher'))
  File "/usr/lib64/python2.7/site-packages/mysql/connector/network.py", line 432, in switch_to_ssl
    errno=2055, values=(self.get_address(), _strioerror(err)))
mysql.connector.errors.InterfaceError: 2055: Lost connection to MySQL server at '/tmp/mysql_ushastry.sock', system error: 1 [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:579)
>>>
[23 Jun 2022 20:55] Philip Olson 
Posted by developer:
 
Fixed as of the upcoming MySQL Connector/Python 8.0.30 release, and here's the proposed changelog entry from the documentation team:

Disabled SSL usage with Unix socket connections.

Thank you for the bug report.