I'm having difficulty with MySQL and OpenSSL. I'm running MySQL 5.7 and OpenSSL 1.1.0g on Ubuntu 16.04

Regardless of what certificates I load, MySQL starts up but does not establish a connection over SSL if the certificates are verified. For example, if I allow it to create its own certs, this is in /var/log/mysql/error.log:

2019-02-17T09:42:25.666293Z 0 [Note] Found ca.pem, server-cert.pem and server-key.pem in data directory. Trying to enable SSL support using them.

2019-02-17T09:42:25.666543Z 0 [Warning] CA certificate ca.pem is self signed.

Normal enough. But: /usr/bin/openssl s_client -connect localhost:3306 gives me this:

CONNECTED(00000003)

140234876264896:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:

If I create a separate CA and self-signed certs with openssl, it doesn't make any difference - same error. As a last resort I tried using my web server's LetsEncrypt certificate with the LE CA cert to avoid using a self-signed cert, with the exact same result.

Turns out any application trying to connect, like phpMyAdmin, fails with an OpenSSL error too, unless it is allowed to connect insecurely.

If I set $cfg['Servers'][$i]['ssl_verify'] = false; in phpMyAdmin/admin/config.inc.php it connects over SSL, but with a "not verified" warning.

From that, I think it looks like a CA error specifically, not a certificate error, but since I'm getting the same result regardless of what CA cert is configured, I'm at a loss. Any suggestions?


Solution 1:

MySQL SSL connection are not just a standard SSL connection with MySQL connection inside.

When establishing such connection, MySQL client first handshake with server using MySQL plaintext protocol, (if both side agree using SSL) then start SSL connection on same TCP connection.

OpenSSL or other general purpose SSL client can't understand MySQL plaintext protocol, they'll directly establish SSL connection without those MySQL specific handshake, then report version error because it is not a standard SSL server at all.

Document about how MySQL establish SSL connection: https://dev.mysql.com/doc/internals/en/ssl.html