Bug 467524 - Unable to establish SSL connection from comunity-release MySQL client to RH MySQL server
Unable to establish SSL connection from comunity-release MySQL client to RH M...
Status: CLOSED UPSTREAM
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mysql (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tom Lane
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-17 18:34 EDT by Nenad Opsenica
Modified: 2012-01-11 09:58 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-01-11 09:58:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch proposed to upstream - yassl should send a message with no certificates (1.94 KB, patch)
2012-01-11 09:05 EST, Honza Horak
no flags Details | Diff

  None (edit)
Description Nenad Opsenica 2008-10-17 18:34:58 EDT
Description of problem:

It is not possible to establish SSL connection from comunity-release MySQL client (downloaded from MySQL site) to RH MySQL server. Both Linux and Windows community MySQL releases are not able to establish SSL connection to RHEL5 based MySQL server, connection attempt ends with "ERROR 2026 (HY000): SSL connection error"

It is possible to connect from RH MySQL client to RH MySQL server; 
it is possible to connect from community client to community server; 
it is possible to connect from RH client to community server; 
it is NOT possible to establish SSL connection from community client to RH server.

Version-Release number of selected component (if applicable):
RH server and/or client: mysql-server-5.0.45-7.el5 (mysql-5.0.45-7.el5)
Community server and/or client: MySQL-server-community-5.0.67-0.rhel5 (MySQL-client-community-5.0.67-0.rhel5); on Windows mysql-essential-5.0.67-win32.msi

The same thing happens with 5.0.45 community release on Windows (mysql-essential-5.0.45-win32.msi)


Steps to Reproduce:
1. Install mysql-server-5.0.45-7.el5 (RedHat package)
2. Configure SSL - create test CA and generate certificate (http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html)
3. Install community MySQL-client-community-5.0.67-0.rhel5 (MySQL site/community downloads)
4. Try to establish SSL connection from community client to RH server
  
Actual results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
ERROR 2026 (HY000): SSL connection error


Expected results:
# mysql -h mysql_server_host -p --ssl-ca ~/temp/root-ca.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 5.0.......
...
mysql> \s
...
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
...
Comment 1 Tom Lane 2008-10-17 19:45:58 EDT
This most likely indicates that mysql's "yassl" SSL implementation is broken, ie, incapable of interoperating with openssl.  I'd suggest filing the bug with them.
Comment 2 Nenad Opsenica 2008-10-19 08:50:16 EDT
Reported bug on MySQL site: http://bugs.mysql.com/40141
Comment 3 Nenad Opsenica 2008-10-21 08:15:03 EDT
This is bug with this MySQL version, solved in 5.0.58 and up. 
Response from MySQL developer:

"As OpenSSL is used in that RedHat's binaries, it is likely a duplicate of bug #33050. That bug if fixed in 5.0.58 and up. So, please, upgrade server to 5.0.67."
Comment 4 Tom Lane 2008-10-22 11:17:09 EDT
Unfortunately, that was merely the easiest excuse to ignore the bug report :-(.  5.0.67 doesn't fix it, per the comment I added to the upstream bug.
Comment 5 Honza Horak 2012-01-11 09:05:50 EST
Created attachment 552127 [details]
patch proposed to upstream - yassl should send a message with no certificates

This is what happens actually:

RFC 2246 (The TLS Protocol Version 1.0) says (section 7.4.6.): "If no suitable certificate is available, the client should send a certificate message containing no certificates."

However, yassl implementation doesn't send this message at all, but openssl expects the message (at least an empty one).

This patch fixes it and was also proposed to upstream (bugs.mysql.com/40141).
Comment 6 Tom Lane 2012-01-11 09:58:18 EST
Great detective work, Honza!

Since we don't use the yassl code in RH mysql builds, there is no need to apply this patch ourselves.
So I'm going to mark this bug closed/upstream.

Note You need to log in before you can comment on or make changes to this bug.