MySQL SSL error, only when connecting from windows/osX

mysql ssl openssl

I am using openssl to generate ssl certificates that I am using to connect to mysql with SSL encryption. This works fine while I am connecting from the local host environement (even when I connect over the servers public IP, I have also connected successfully from the web server boxes). However, When I try to connect from my local dev machine I get an SSL errror.

When connecting from hosting platform

mysql -u metrics -p -h 45.33.x.x --ssl-key=client-key.pem --ssl-ca=ca.pem --ssl-cert=client-cert.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 136 ...

When connecting from Mac dev machine, I used scp to copy the cert/key files to my dev machine

mysql -u metrics -h 45.33.x.x -p --ssl-key=client-key.pem --ssl-cert=client-cert.pem --ssl-ca=ca.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Here is what I have done to try to solve this problem

  1. I have generated checksums of cert/key/ca on the server and local machine, they are identical
  2. I have looked at Can't connect to MySQL 5.5 with SSL server fault question neither idea solved the problem
  3. I have debugged SSL by starting the openSSL server (on the mysql server) and connecting from my local machine, once again no problems.

If it makes a difference the servers are all running ubuntu 14.04 with openSSL "OpenSSL 1.0.1f 6 Jan 2014" and I am connecting from osX 10.10.4 with openSSL "OpenSSL 1.0.2c 12 Jun 2015"

So any ideas?


Solution 1:

This looks like a cipher related problem. Try adding the option on both server and client: --ssl-cipher=AES128-SHA. You can use any other suite present both sides in the output of openssl ciphers HIGH.

It's also possible that the MySQL client config file includes ssl-verify-server-cert option, if so remove it or (safer) use a domain name from server's certificate CN.

If it still fails you can:

  1. Sniff your connection with tcpdump or Wireshark, look at TLS handshake.
  2. Workaround the problem with stunnel or VPN.

Related

Nginx and buffering of big responses
Get rid of Skype for Business warning about Exchange
How to extract X.509 certificate from live network traffic automatically on Linux OS
Create a new objectClass in order to add a custom attribute to an existing objectClass
Setting up IPSEC on LAN between two hosts (OpenBSD)
Nginx: How to redirect to https, but not for subdomain
ZFS keeps faulting the same device
Are caching proxy servers still be helpful for saving bandwith, now that major services have migrated to https?
Nginx + Wordpress in subdirectory
Does zfs send scrub the sent data?
mdadm - stuck reshape operation
Run javascript function on cells of CSV / excel file