Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Not a Bug
-
Affects Version/s: 5.5.31
-
Fix Version/s: 5.5.32
-
Component/s: None
-
Labels:None
-
Environment:Debian squeeze 64 bit, packages from official MariaDB repositories
Description
Hi,
After switching from Mysql to MariaDB ( Server version: 5.5.31-MariaDB-1squeeze-log ) we lost the ability to connect via SSL to the server.
We were using self signed certificates generated via the method described here and they worked well before the switch to MariaDB : http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
We get the following error messages when trying to connect on the same machine having both the client and the server.
dpkg -s mysql-client Package: mysql-client Status: unknown ok not-installed Priority: optional Section: database
dpkg -s mariadb-client Package: mariadb-client Status: install ok installed Priority: optional Section: database Installed-Size: 32 Maintainer: MariaDB Developers <maria-developers@lists.launchpad.net> Architecture: all Source: mariadb-5.5 Version: 5.5.31+maria-1~squeeze Depends: mariadb-client-5.5 (= 5.5.31+maria-1~squeeze)
mysql -v -u user -p database --ssl-ca /etc/mysql/newcerts/ca-cert.pem --ssl-cert /etc/mysql/newcerts/client-cert.pem --ssl-key /etc/mysql/newcerts/client-key.pem Enter password: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
Thanks.
Gliffy Diagrams
Attachments
Issue Links
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Hi Elena,
Thank you for your help.
Using your instructions, I was able to generate some certificates and be able to use SSL for connecting to MariaDB
openssl verify -CAfile /etc/mysql/newcerts/ca-cert.pem /etc/mysql/newcerts/server-cert.pem /etc/mysql/newcerts/client-cert.pem
/etc/mysql/newcerts/server-cert.pem: OK
/etc/mysql/newcerts/client-cert.pem: OK
Thanks again for your support.
Hi Sergei,
Passing it to you for a verdict.
Long story short, there are certain combinations of certificates created through openssl which make openssl suspicious. In our example it happens because all information in CA certificate and server/client certificate is identical. On certificate verification, openssl itself throws an error.
MariaDB using openssl library refuses to connect with such certificates. MySQL (and I suppose MariaDB) using yaSSL allows to connect all right.
On one hand, it looks like openssl-based builds behave in a more correct way since the library itself thinks that the certificates are not trustworthy.
One the other hand, at this point it's a regression for many people who have been using such certificates forever and suddenly started getting an error.
I'd say it's not a bug. One can use SSL certificates. The command-line openssl complains that they are invalid. It's logical to expect that they won't work. In this case it's not our random decision, but a standard SSL verification tool that rejects them. One could even argue that it was a bug that invalid certificated worked at all.
An additional note for those who might have found this issue while looking up the problem.
There is also Percona bug report https://bugs.launchpad.net/percona-server/+bug/1169505, currently there is a user who says they are not getting an error on openssl verify, but still can't connect using the certificates after upgrade from one Percona version to another. It's hard to say whether it's a user error or a different problem.
If you observe similar behavior on a MariaDB version (no errors on openssl verify, but can't connect), please leave a comment with any information you can provide (see the previous discussion here for the hints what might be useful).
I was having the same problem and this workaround fixed it for me.
One added difficulty in my case was that I had an invalid path specified in my.cnf for the `ssl-ca` setting and it was returning the same exact error code/message. Once I fixed that and then applied this workaround, everything worked just fine.
I'm on CentOS 5.8, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, and mysql 5.5.27
Please don't mind the older versions of everything, I'm in the process of migrating off of this server by end of month.
Thank you very much for the fix/workaround.
Hi,
Could you please provide the output of
ldd /usr/sbin/mysqld
ldd /usr/bin/mysql
sudo lsof | grep ssl | grep mysqld
and from MySQL client
SHOW STATUS LIKE '%ssl%';
SHOW VARIABLES LIKE '%ssl%';
Also, do you remember how long ago / on what system / with what openssl version your certs were generated?
And which MySQL 5.1 minor version did you use last before upgrading to MariaDB 5.5?
Thanks.