MySQL SSL error, only when connecting from windows/osX

I am using openssl to generate ssl certificates that I am using to connect to mysql with SSL encryption. This works fine while I am connecting from the local host environement (even when I connect over the servers public IP, I have also connected successfully from the web server boxes). However, When I try to connect from my local dev machine I get an SSL errror.

When connecting from hosting platform

mysql -u metrics -p -h 45.33.x.x --ssl-key=client-key.pem --ssl-ca=ca.pem --ssl-cert=client-cert.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 136 ...

When connecting from Mac dev machine, I used scp to copy the cert/key files to my dev machine

mysql -u metrics -h 45.33.x.x -p --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Here is what I have done to try to solve this problem

  1. I have generated checksums of cert/key/ca on the server and local machine, they are identical
  2. I have looked at Can't connect to MySQL 5.5 with SSL server fault question neither idea solved the problem
  3. I have debugged SSL by starting the openSSL server (on the mysql server) and connecting from my local machine, once again no problems.

If it makes a difference the servers are all running ubuntu 14.04 with openSSL "OpenSSL 1.0.1f 6 Jan 2014" and I am connecting from osX 10.10.4 with openSSL "OpenSSL 1.0.2c 12 Jun 2015"

So any ideas?


Solution 1:

This looks like a cipher related problem. Try adding the option on both server and client: --ssl-cipher=AES128-SHA. You can use any other suite present both sides in the output of openssl ciphers HIGH.

It's also possible that the MySQL client config file includes ssl-verify-server-cert option, if so remove it or (safer) use a domain name from server's certificate CN.

If it still fails you can:

  1. Sniff your connection with tcpdump or Wireshark, look at TLS handshake.
  2. Workaround the problem with stunnel or VPN.