Percona Server moved to https://jira.percona.com/projects/PS

SSL connection error: protocol version mismatch

Bug #1007164 reported by mgrennan on 2012-05-31

This bug affects 3 people

	Status	Importance	Assigned to
MySQL Server	Unknown	Unknown	mysql-bugs #64870
Percona Server moved to https://jira.percona.com/projects/PS	Status tracked in 5.7
5.1	Won't Fix	Undecided	Unassigned
5.5	Incomplete	Undecided	Unassigned
5.6	Incomplete	Undecided	Unassigned
5.7	Incomplete	Undecided	Unassigned

Bug Description

Percona Server (MySQL) version Ver 5.5.23-55-log for Linux on x86_64 (Percona Server (GPL), Release rel25.3, Revision 240)

This is added to my.cnf
[mysqld]
ssl-ca = /root/newcerts/ca-cert.pem
ssl-cipher = DHE-RSA-AES256-SHA:AES128-SHA

No mater how I connect (-h) or who I connect as (-u) I get the same message when trying to use sll.

mysql --ssl-ca=/root/newcerts/ca-cert.pem
ERROR 2026 (HY000): SSL connection error: protocol version mismatch

Tags:

Revision history for this message

mgrennan (mark-grennan) wrote on 2012-06-01:

To make this really complete... Here is the cert.

Revision history for this message

Sebastian (sebastian-seo) wrote on 2012-06-06:

Hi,

I can confirm the same. It looks like mysql cannot handle certificate files generated with openssl version newer than 0.9.*. Old version of openssl (from CentOS 5.8) produced certificates that worked.

Regards

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2012-06-07:

Is this failure Percona Server-specific or does MySQL 5.5.23 fail too in the same way?

Revision history for this message

Sebastian (sebastian-seo) wrote on 2012-06-07:

This issue also occurs in MySQL 5.5.23

Revision history for this message

Alexey Kopytov (akopytov) wrote on 2012-06-14:

The upstream bug has not been verified so far. We don't have a reproducible procedure either. Which means the correct status is New, not Confirmed/Triaged.

Revision history for this message

Raghavendra D Prabhu (raghavendra-prabhu) wrote on 2012-09-10:

Tested and works fine. (both mysql and PS)

>>mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.5.27-log Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> grant ALL on *.* to 'testuser'@'localhost' identified by 'test' require ssl;
Query OK, 0 rows affected (0.00 sec)

mysql> Bye

>>mysql -u testuser -ptest
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.5.27-log Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql Ver 14.14 Distrib 5.5.27, for Linux (x86_64) using readline 5.1

Connection id: 6
Current database:
Current user: testuser@localhost
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: less -R -i -M -s -j.5 -J -W -z-5
Using outfile: ''
Using delimiter: ;
Server version: 5.5.27-log Source distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8
Db characterset: utf8
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 10 min 30 sec

Threads: 1 Questions: 30 Slow queries: 0 Opens: 33 Flush tables: 1 Open tables: 26 Queries per second avg: 0.047
--------------

Generation:

I generated certificates as follows: (thanks to http://serverfault.com/a/399581)

openssl req -x509 -newkey rsa:1024 \
-keyout server-key-enc.pem -out server-cert.pem \
-subj '/DC=com/DC=example/CN=server' -passout pass:qwerty

openssl rsa -in server-key-enc.pem -out server-key.pem \
-passin pass:qwerty -passout pass:

openssl req -x509 -newkey rsa:1024 \
-keyout client-key-enc.pem -out client-cert.pem \
-subj '/DC=com/DC=example/CN=client' -passout pass:qwerty

openssl rsa -in client-key-enc.pem -out client-key.pem \
-passin pass:qwerty -passout pass:

cat server-cert.pem client-cert.pem > ca.pem

with configuration being:

ssl-ca=/qemu/share/certs/ca.pem
ssl-cert=/qemu/share/certs/client-cert.pem
ssl-key=/qemu/share/certs/client-key.pem

under [client]

and

ssl-ca=/qemu/share/certs/ca.pem
ssl-cert=/qemu/share/certs/server-cert.pem
ssl-key=/qemu/share/certs/server-key.pem

under [mysqld]

===============================

The key (as also mentioned in serverfault link) is to note that the certs are self-signed and follow procedure for them (like -x509 to req)

Tested and works fine. (both mysql and PS)

>>mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.5.27-log Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> grant ALL on *.* to 'testuser'@'localhost' identified by 'test' require ssl;
Query OK, 0 rows affected (0.00 sec)

mysql> Bye

>>mysql -u testuser -ptest
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6
Server version: 5.5.27-log Source distribution

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.5.27, for Linux (x86_64) using readline 5.1

Connection id:          6
Current database:
Current user:           testuser@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          less -R -i -M -s -j.5 -J -W -z-5
Using outfile:          ''
Using delimiter:        ;
Server version:         5.5.27-log Source distribution
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    utf8
Db     characterset:    utf8
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /var/run/mysqld/mysqld.sock
Uptime:                 10 min 30 sec

Threads: 1  Questions: 30  Slow queries: 0  Opens: 33  Flush tables: 1  Open tables: 26  Queries per second avg: 0.047
--------------

Generation:

I generated certificates as follows: (thanks to http://serverfault.com/a/399581)

openssl req -x509 -newkey rsa:1024 \
-keyout server-key-enc.pem -out server-cert.pem \
-subj '/DC=com/DC=example/CN=server' -passout pass:qwerty

openssl rsa -in server-key-enc.pem -out server-key.pem \
-passin pass:qwerty -passout pass:

openssl req -x509 -newkey rsa:1024 \
-keyout client-key-enc.pem -out client-cert.pem \
-subj '/DC=com/DC=example/CN=client' -passout pass:qwerty

openssl rsa -in client-key-enc.pem -out client-key.pem \
-passin pass:qwerty -passout pass:

cat server-cert.pem client-cert.pem > ca.pem

with  configuration being:

ssl-ca=/qemu/share/certs/ca.pem
ssl-cert=/qemu/share/certs/client-cert.pem
ssl-key=/qemu/share/certs/client-key.pem

under [client]

and

ssl-ca=/qemu/share/certs/ca.pem
ssl-cert=/qemu/share/certs/server-cert.pem
ssl-key=/qemu/share/certs/server-key.pem

under [mysqld]

===============================

The key (as also mentioned in serverfault link) is to note that the certs are self-signed and follow procedure for them (like -x509 to req)

Revision history for this message

Myatus (myatus) wrote on 2012-11-23:

Make sure that the Common Name (CN) of the Server certificate does NOT match that of the Client, which is hinted in #6 with "CN=client" and "CN=server"

Revision history for this message

Tamas Papp (tompos) wrote on 2013-01-06:

This bug still exists.
Upstream bug report:
http://bugs.mysql.com/bug.php?id=64870

However the workaround doesn't work form me.

Revision history for this message

Tamas Papp (tompos) wrote on 2013-01-07:

Works fine with certificates created by openssl 0.9.8o from debian squeeze.

Revision history for this message

Andrian Jardan (andrianjardan) wrote on 2013-04-17:

#10

The official guide (http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html) has -set_serial 01 for both server and client certificates, that is the reason why the issue appears.

use -set_serial 02 for the client certificate, and everything should be good. Make sure the output of the check command is the same as in the howto (openssl verify ...).

Revision history for this message

Valerii Kravchuk (valerii-kravchuk) wrote on 2013-05-24:

#11

All reporters,

Do you agree that with certificates properly created this problem is not repeatable?

Changed in percona-server:
status:	New → Incomplete

Laurynas Biveinis (laurynas-biveinis) on 2016-03-23

tags:

added: upstream

Revision history for this message

Anatoli (anatoli) wrote on 2016-12-12:

#12

If you tried everything, but SSL is not working, and at the same time you're running mysqld in chroot, then the cause for the errors like:

ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

ERROR 2026 (HY000): SSL connection error: protocol version mismatch

could be that you forgot to create dev/random and dev/urandom devices in the chroot environment (and openssl lib can't obtain entropy - it opens these devices *after* chroot). You can do that this way (replace /srv/mysqld with your chroot dir and mysqld with the user mysqld is running under):

sudo install -d -o mysqld -g mysqld -m 500 /srv/mysqld/dev
sudo mknod -m 444 /srv/mysqld/dev/random c 1 8
sudo mknod -m 444 /srv/mysqld/dev/urandom c 1 9

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-25:

#13

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-2759