+++ This bug was initially created as a clone of Bug #1228755 +++ Description of problem: openssl 1.0.1e-30.el6_6.9 breaks MySQL SSL connections (affecting both client and replication). This affects EL6 clients connecting to EL5 servers. Version-Release number of selected component (if applicable): mysql-server.x86_64 5.0.95-5.el5_9 mysql (client) 5.1.73-3.el6_5 openssl.x86_64 1.0.1e-30.el6_6.9 How reproducible: Always Steps to Reproduce: (as root) yum update; yum install mysql-server vim /etc/my.cnf [mysqld] ssl-ca=/var/lib/mysql/mysqlcerts/ca-cert.pem ssl-cert=/var/lib/mysql/mysqlcerts/server-cert.pem ssl-key=/var/lib/mysql/mysqlcerts/server-key.pem [client] ssl-ca=/var/lib/mysql/mysqlcerts/ca-cert.pem ssl-cert=/var/lib/mysql/mysqlcerts/client-cert.pem ssl-key=/var/lib/mysql/mysqlcerts/client-key.pem mkdir /var/lib/mysql/mysqlcerts cd /var/lib/mysql/mysqlcerts openssl genrsa 2048 > ca-key.pem openssl req -new -x509 -nodes -days 1000 -key ca-key.pem -out ca-cert.pem openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem chown mysql:mysql * chmod 640 * service mysql restart Actual results: ERROR 2026 (HY000): SSL connection error Expected results: Logged into mysql as root. Additional info: Non-SSL connections succeed. Setting ssl-cipher=DEFAULT:!DH does work as a temporary workaround.
The latest OpenSSL updates for RHEL 5 breaks MySQL SSL connections between RHEL 5 servers now as well. Please see above. Please note that this does not have to do with logging in as root. This error occurs before authentication. Version-Release number of selected component (if applicable): mysql-server.x86_64 5.0.95-5.el5_9 mysql (client) 5.0.95-5.el5_9 openssl.x86_64 0.9.8e-36.el5_11
The MySQL package for RHEL 6 got fixed a week after the openssl update breaking DH got released. Three weeks after the one for RHEL 6 a similar openssl update for RHEL 5 gets released causing identical breakage. Perhaps the communication between the development teams for 5 and 6 could be improved? This issue seems to be stuck in the NEEDINFO state. What info do you need? Is an update of MySQL for RHEL 5 similar to the one released for RHEL 6 in the pipeline?
As it is unclear what info is requested and this issue seems to be stuck I unset the needinfo flag in the hope this issue gets picked up and resolved.
*** Bug 1272091 has been marked as a duplicate of this bug. ***
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only. If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided. For more details please consult the Red Hat Enterprise Linux Life Cycle Page: https://access.redhat.com/support/policy/updates/errata This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.