Description of problem: It is not possible to establish SSL connection from comunity-release MySQL client (downloaded from MySQL site) to RH MySQL server. Both Linux and Windows community MySQL releases are not able to establish SSL connection to RHEL5 based MySQL server, connection attempt ends with "ERROR 2026 (HY000): SSL connection error" It is possible to connect from RH MySQL client to RH MySQL server; it is possible to connect from community client to community server; it is possible to connect from RH client to community server; it is NOT possible to establish SSL connection from community client to RH server. Version-Release number of selected component (if applicable): RH server and/or client: mysql-server-5.0.45-7.el5 (mysql-5.0.45-7.el5) Community server and/or client: MySQL-server-community-5.0.67-0.rhel5 (MySQL-client-community-5.0.67-0.rhel5); on Windows mysql-essential-5.0.67-win32.msi The same thing happens with 5.0.45 community release on Windows (mysql-essential-5.0.45-win32.msi) Steps to Reproduce: 1. Install mysql-server-5.0.45-7.el5 (RedHat package) 2. Configure SSL - create test CA and generate certificate (http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html) 3. Install community MySQL-client-community-5.0.67-0.rhel5 (MySQL site/community downloads) 4. Try to establish SSL connection from community client to RH server Actual results: # mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem Enter password: ERROR 2026 (HY000): SSL connection error Expected results: # mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 23 Server version: 5.0....... ... mysql> \s ... SSL: Cipher in use is DHE-RSA-AES256-SHA ...
This most likely indicates that mysql's "yassl" SSL implementation is broken, ie, incapable of interoperating with openssl. I'd suggest filing the bug with them.
Reported bug on MySQL site: http://bugs.mysql.com/40141
This is bug with this MySQL version, solved in 5.0.58 and up. Response from MySQL developer: "As OpenSSL is used in that RedHat's binaries, it is likely a duplicate of bug #33050. That bug if fixed in 5.0.58 and up. So, please, upgrade server to 5.0.67."
Unfortunately, that was merely the easiest excuse to ignore the bug report :-(. 5.0.67 doesn't fix it, per the comment I added to the upstream bug.
Created attachment 552127 [details] patch proposed to upstream - yassl should send a message with no certificates This is what happens actually: RFC 2246 (The TLS Protocol Version 1.0) says (section 7.4.6.): "If no suitable certificate is available, the client should send a certificate message containing no certificates." However, yassl implementation doesn't send this message at all, but openssl expects the message (at least an empty one). This patch fixes it and was also proposed to upstream (bugs.mysql.com/40141).
Great detective work, Honza! Since we don't use the yassl code in RH mysql builds, there is no need to apply this patch ourselves. So I'm going to mark this bug closed/upstream.