Bug 1231960

Summary: openssl update breaks mysql ssl
Product: Red Hat Enterprise Linux 5 Reporter: Blake <blake.a.hudson>
Component: mysqlAssignee: Michal Schorm <mschorm>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.11CC: bgollahe, byte, databases-maint, dukrat, erinn.looneytriggs, hhorak, howey.vernon, huzaifas, it, jherrman, kvolny, leonard-rh-bugzilla, maurizio.antillon, qe-baseos-daemons, rwilliam, thoger, tlavigne, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
With certain versions of OpenSSL, using SSL to log into a MySQL client as root previously failed with a "ERROR 2026 (HY000): SSL connection error" message. This update increases the Diffie-Hellman (DH) key length in MySQL from 512 to 1024 bits, which meets the DH key length requirements for these OpenSSL versions. As a result, SSL can be used as expected in the described scenario.
 Story Points: ---
Clone Of: 1228755 Environment:
Last Closed: 2017-04-18 21:53:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1232207    

Description Blake 2015-06-15 17:15:19 UTC 
+++ This bug was initially created as a clone of Bug #1228755 +++

Description of problem:
openssl 1.0.1e-30.el6_6.9 breaks MySQL SSL connections (affecting both client and replication). This affects EL6 clients connecting to EL5 servers.

Version-Release number of selected component (if applicable):
mysql-server.x86_64              5.0.95-5.el5_9
mysql (client)                   5.1.73-3.el6_5
openssl.x86_64                   1.0.1e-30.el6_6.9

How reproducible:
Always

Steps to Reproduce: (as root)
yum update; yum install mysql-server
vim /etc/my.cnf
  [mysqld]
  ssl-ca=/var/lib/mysql/mysqlcerts/ca-cert.pem
  ssl-cert=/var/lib/mysql/mysqlcerts/server-cert.pem
  ssl-key=/var/lib/mysql/mysqlcerts/server-key.pem
  [client]
  ssl-ca=/var/lib/mysql/mysqlcerts/ca-cert.pem
  ssl-cert=/var/lib/mysql/mysqlcerts/client-cert.pem
  ssl-key=/var/lib/mysql/mysqlcerts/client-key.pem
  mkdir /var/lib/mysql/mysqlcerts
  cd /var/lib/mysql/mysqlcerts
  openssl genrsa 2048 > ca-key.pem
  openssl req -new -x509 -nodes -days 1000 -key ca-key.pem -out ca-cert.pem
  openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem -out server-req.pem
  openssl rsa -in server-key.pem -out server-key.pem
  openssl x509 -req -in server-req.pem -days 1000  -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
  openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem -out client-req.pem
  openssl rsa -in client-key.pem -out client-key.pem
  openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
  chown mysql:mysql *
  chmod 640 *
  service mysql restart

Actual results:
ERROR 2026 (HY000): SSL connection error

Expected results:
Logged into mysql as root.  

Additional info:
Non-SSL connections succeed. Setting ssl-cipher=DEFAULT:!DH does work as a temporary workaround.
Comment 1 Blake 2015-07-02 17:35:40 UTC 
The latest OpenSSL updates for RHEL 5 breaks MySQL SSL connections between RHEL 5 servers now as well. Please see above. Please note that this does not have to do with logging in as root. This error occurs before authentication.

Version-Release number of selected component (if applicable):
mysql-server.x86_64              5.0.95-5.el5_9
mysql (client)                   5.0.95-5.el5_9
openssl.x86_64                   0.9.8e-36.el5_11
Comment 3 Leonard den Ottolander 2015-07-18 15:07:53 UTC 
The MySQL package for RHEL 6 got fixed a week after the openssl update breaking DH got released.

Three weeks after the one for RHEL 6 a similar openssl update for RHEL 5 gets released causing identical breakage. Perhaps the communication between the development teams for 5 and 6 could be improved?

This issue seems to be stuck in the NEEDINFO state. What info do you need?

Is an update of MySQL for RHEL 5 similar to the one released for RHEL 6 in the pipeline?
Comment 4 Leonard den Ottolander 2015-09-05 12:31:50 UTC 
As it is unclear what info is requested and this issue seems to be stuck I unset the needinfo flag in the hope this issue gets picked up and resolved.
Comment 5 Tomas Hoger 2015-10-15 15:07:53 UTC 
*** Bug 1272091 has been marked as a duplicate of this bug. ***
Comment 7 Chris Williams 2017-04-18 21:53:56 UTC 
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.