Bug 467524 - Unable to establish SSL connection from comunity-release MySQL client to RH MySQL server
Summary: Unable to establish SSL connection from comunity-release MySQL client to RH M...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mysql
Version: 5.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Tom Lane
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-17 22:34 UTC by Nenad Opsenica
Modified: 2012-01-11 14:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-11 14:58:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
patch proposed to upstream - yassl should send a message with no certificates (1.94 KB, patch)
2012-01-11 14:05 UTC, Honza Horak
no flags Details | Diff

Description Nenad Opsenica 2008-10-17 22:34:58 UTC
Description of problem:

It is not possible to establish SSL connection from comunity-release MySQL client (downloaded from MySQL site) to RH MySQL server. Both Linux and Windows community MySQL releases are not able to establish SSL connection to RHEL5 based MySQL server, connection attempt ends with "ERROR 2026 (HY000): SSL connection error"

It is possible to connect from RH MySQL client to RH MySQL server; 
it is possible to connect from community client to community server; 
it is possible to connect from RH client to community server; 
it is NOT possible to establish SSL connection from community client to RH server.

Version-Release number of selected component (if applicable):
RH server and/or client: mysql-server-5.0.45-7.el5 (mysql-5.0.45-7.el5)
Community server and/or client: MySQL-server-community-5.0.67-0.rhel5 (MySQL-client-community-5.0.67-0.rhel5); on Windows mysql-essential-5.0.67-win32.msi

The same thing happens with 5.0.45 community release on Windows (mysql-essential-5.0.45-win32.msi)


Steps to Reproduce:
1. Install mysql-server-5.0.45-7.el5 (RedHat package)
2. Configure SSL - create test CA and generate certificate (http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html)
3. Install community MySQL-client-community-5.0.67-0.rhel5 (MySQL site/community downloads)
4. Try to establish SSL connection from community client to RH server
  
Actual results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
ERROR 2026 (HY000): SSL connection error


Expected results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 5.0.......
...
mysql> \s
...
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
...

Comment 1 Tom Lane 2008-10-17 23:45:58 UTC
This most likely indicates that mysql's "yassl" SSL implementation is broken, ie, incapable of interoperating with openssl.  I'd suggest filing the bug with them.

Comment 2 Nenad Opsenica 2008-10-19 12:50:16 UTC
Reported bug on MySQL site: http://bugs.mysql.com/40141

Comment 3 Nenad Opsenica 2008-10-21 12:15:03 UTC
This is bug with this MySQL version, solved in 5.0.58 and up. 
Response from MySQL developer:

"As OpenSSL is used in that RedHat's binaries, it is likely a duplicate of bug #33050. That bug if fixed in 5.0.58 and up. So, please, upgrade server to 5.0.67."

Comment 4 Tom Lane 2008-10-22 15:17:09 UTC
Unfortunately, that was merely the easiest excuse to ignore the bug report :-(.  5.0.67 doesn't fix it, per the comment I added to the upstream bug.

Comment 5 Honza Horak 2012-01-11 14:05:50 UTC
Created attachment 552127 [details]
patch proposed to upstream - yassl should send a message with no certificates

This is what happens actually:

RFC 2246 (The TLS Protocol Version 1.0) says (section 7.4.6.): "If no suitable certificate is available, the client should send a certificate message containing no certificates."

However, yassl implementation doesn't send this message at all, but openssl expects the message (at least an empty one).

This patch fixes it and was also proposed to upstream (bugs.mysql.com/40141).

Comment 6 Tom Lane 2012-01-11 14:58:18 UTC
Great detective work, Honza!

Since we don't use the yassl code in RH mysql builds, there is no need to apply this patch ourselves.
So I'm going to mark this bug closed/upstream.


Note You need to log in before you can comment on or make changes to this bug.