Ubuntu
mysql-dfsg-5.1 package

mysql client package has broken SSL support

Bug #359309 reported by Todd Lipcon
4
Affects Status Importance Assigned to Milestone
mysql-dfsg-5.1 (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: mysql-client-5.0

The OpenSSL client support in the mysql client appears to be broken. I am unable to connect via SSL to a working SSL-enabled mysql server (running on a redhat box).

Compiling mysql 5.0 from source with --with-openssl, I am able to connect just fine.

After editing debian/rules to change --with-yassl to --without-yassl, and --without-openssl to --with-openssl also fixed my problem.

This may be a bug against yassl - feel free to refile.

FWIW, the SSL certs are self-signed with no CA. (--ssl-ca=/dev/null on the mysql client option)

Release: Intrepid
Package: 5.0.67-0ubuntu6 0

-Todd

Revision history for this message
Bryan Jacobs (b-q3q) wrote :

Seconded - bug still present in Jaunty release version.

Package as shipped does not work against a Gentoo MySQL 5.0 server using a CACert certificate nor one using a StartCom cert.

Completely fixed by building against MySQL instead of YaSSL.

Revision history for this message
Mathias Gug (mathiaz) wrote :

Could you check if you're running into upstream bug http://bugs.mysql.com/bug.php?id=29841 ?

Changed in mysql-dfsg-5.0 (Ubuntu):
status: New → Incomplete
Revision history for this message
Bryan Jacobs (b-q3q) wrote :

That upstream bug looks likely to be the cause. I don't use client certificates. But regardless of the source of the error, shouldn't Ubuntu build its package in a way that works rather than one that doesn't? OpenSSL is already installed on the stock system (even openssh relies on libssl) - does YaSSL provide some compelling advantage? What rationale was there for building MySQL against an alternative library? I doubt that whoever made that decision reasoned it through; if they had, they would probably have tested the most common use case for SSL connections and made sure the two libraries could be interchanged.

I think the right solution here is to switch MySQL to build against OpenSSL rather than yassl, in the absence of an upstream recommendation or a solid rationale for making the opposite decision.

Revision history for this message
Mathias Gug (mathiaz) wrote : Re: [Bug 359309] Re: mysql client package has broken SSL support

On Mon, Jun 15, 2009 at 10:26:31PM -0000, Bryan Jacobs wrote:
> That upstream bug looks likely to be the cause. I don't use client
> certificates. But regardless of the source of the error, shouldn't
> Ubuntu build its package in a way that works rather than one that
> doesn't? OpenSSL is already installed on the stock system (even openssh
> relies on libssl) - does YaSSL provide some compelling advantage? What
> rationale was there for building MySQL against an alternative library?

There are some licensing incompatibilities between openssl and GPL
software.

See http://www.gnome.org/~markmc/openssl-and-the-gpl.html for an
overview of the issue.

If you could describe a test case so that the bug can easily be
reproduced it would be very helpful to get this issue sorted out.

--
Mathias Gug
Ubuntu Developer http://www.ubuntu.com

Mathias Gug (mathiaz)
Changed in mysql-dfsg-5.0 (Ubuntu):
importance: Undecided → Low
Chuck Short (zulcss)
Changed in mysql-dfsg-5.0 (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Chuck Short (zulcss) wrote :

Please test under lucid.

Regards
chuck

affects: mysql-dfsg-5.0 (Ubuntu) → mysql-dfsg-5.1 (Ubuntu)
Revision history for this message
Jon Johnson (jon-bigjjs) wrote :

I am unable to use a 10.04 mysql client to connect to a RHEL 5 mysql server using ssl. I assume that this is the problem because I can connect RHEL 5 -> RHEL 5 just fine. Can I provide more information?

Revision history for this message
Chuck Short (zulcss) wrote :

Yes you can provide more information. Have you tried:

mysql --ssl -u root -p

Thanks
chuck

Revision history for this message
Simon Déziel (sdeziel) wrote :

MySQL 5.1 has long been EOL in Ubuntu and upstream. Please open a new bug if MySQL 5.7 or MySQL 8.0 as shipped in currently supported Ubuntu version still have the problem.

Changed in mysql-dfsg-5.1 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.