MySQL 5.1.66 SSL connection error ERROR 2026 (HY000)

MySQLreplicationssl

UPDATE2

Using WireShark I found out the problem string (I hope I did):

28 | 9.582638 | 192.168.18.128 | 192.168.18.129 | MySQL Response Error 1043

And the error is (according to docs):

Error: 1043 SQLSTATE: 08S01 (ER_HANDSHAKE_ERROR)
Message: Bad handshake

Here are the screenshots of WireShark in two cases:

Connection from Windows 8 (Success):

enter image description here

Connection from CentOS (Fail):

enter image description here

Why does this happen?

UPDATE

One interesting notice:
I have successfully connected with Master DB using Windows 8 (192.168.18.1) by modifying ssluser setting on Master for 192.168.18.1 host – made a change: from REQUIRE SSL to REQUIRE X509. However this doesn't work in our case with slave-to-master connection.

I have faced with SSL replication problem in CentOS-6.3. I am using OpenSSL to create both clients and server certificates and both clients and server certificates are signed by the same CA.

Server IP: 192.168.18.128
Slave  IP: 192.168.18.129
MySQL version 5.1.66 SSL

All certificates I receive using "Setting Up SSL Certificates and Keys for MySQL" section of MySQL help pages.

Server's my.cnf file:

[mysqld]
ssl-key=/etc/mysql/certs/server-key.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-ca=/etc/mysql/certs/ca-cert.pem

Client's my.cnf file:

[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem

On Master I setup slave user with SSL like this:

CREATE USER 'ssluser'@'192.168.18.129' IDENTIFIED BY 'sslpass';
GRANT REPLICATION SLAVE ON *.* TO 'ssluser'@'192.168.18.129' REQUIRE SSL;

To update Slave I am using the following command (according to show master status command):

SLAVE STOP;
CHANGE MASTER TO \
             MASTER_HOST='192.168.18.128',                      \
             MASTER_USER='sslreplicant',                        \
             MASTER_PASSWORD='db.sslreplicantprimary',          \
             MASTER_LOG_FILE='mysql-bin.000026',                \
             MASTER_LOG_POS=106,                                \
             MASTER_SSL=1,                                      \
             MASTER_SSL_CA='/etc/mysql/certs/ca-cert.pem',      \
             MASTER_SSL_CAPATH='/etc/mysql/certs/',             \
             MASTER_SSL_CERT='/etc/mysql/certs/client-cert.pem',\
             MASTER_SSL_KEY='/etc/mysql/certs/client-key.pem';
SLAVE START;

Replication itself works fine:

mysql> SHOW VARIABLES LIKE '%ssl%';

have_openssl  = YES
have_ssl      = YES
ssl_ca        = /etc/mysql/certs/ca-cert.pem
ssl_capath    =
ssl_cert      = /etc/mysql/certs/server-cert.pem
ssl_cipher    =
ssl_key       = /etc/mysql/certs/server-key.pem

This is both – on Master and on Slave.

But when I manually check the connection from Slave to Master I receive an error.

Here are the options I tried so far (the same result from everyone):

[gahcep@localhost  ~]$ mysql -u ssluser -h 192.168.18.128 -p

[gahcep@localhost  ~]$ mysql --ssl --ssl-ca=/etc/mysql/certs/ca-cert.pem \
                             -u ssluser -h 192.168.18.128 -p

[gahcep@localhost ~]$ mysql --ssl-ca=/etc/mysql/certs/ca-cert.pem \
                            --ssl-cert=/etc/mysql/certs/client-cert.pem \
                            --ssl-key=/etc/mysql/certs/client-key.pem \
                            -u ssluser -h 192.168.18.128 -p

Enter password:
ERROR 2026 (HY000): SSL connection error

Steps to Reproduce:

setup/create both clients and server certs signed by same ca.
setup both my.cnf files on clients and servers as mentioned in this thread
create ssluser on master for slave
mysql -u ssluser -h 192.168.18.128 -p

Please, note, I indeed used different Common Names for all certificates: for CA, clien and server.

ADDITIONAL INFORMATION

Verification results:

[gahcep@localhost ~]$ sudo openssl verify -purpose sslclient \
           -CAfile /etc/mysql/certs/ca-cert.pem /etc/mysql/certs/client-cert.pem
/etc/mysql/certs/client-cert.pem: OK

[gahcep@localhost ~]$ sudo openssl verify -purpose sslserver \
           -CAfile /etc/mysql/certs/ca-cert.pem /etc/mysql/certs/server-cert.pem
/etc/mysql/certs/server-cert.pem: OK

Sertificates information:

CA:

[gahcep@localhost ~]$ sudo openssl x509 -noout -subject -issuer -dates \
           -serial -hash -fingerprint -in /etc/mysql/certs/ca-cert.pem
subject= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec
issuer= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec
notBefore=Jan  4 06:27:46 2013 GMT
notAfter=Nov 13 06:27:46 2022 GMT
serial=B45D177E85F99578
c2c5b88b
SHA1 Fingerprint=5B:07:AA:39:28:24:CE:1A:CF:35:FA:14:36:23:65:8F:84:61:B0:1C

Client Certificate:

[gahcep@localhost ~]$ sudo openssl x509 -noout -subject -issuer -dates \
           -serial -hash -fingerprint -in /etc/mysql/certs/client-cert.pem
subject= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=Secondary
issuer= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec
notBefore=Jan  4 06:29:07 2013 GMT
notAfter=Nov 13 06:29:07 2022 GMT
serial=01
6df9551f
SHA1 Fingerprint=F5:9F:4A:14:E8:96:26:BC:71:79:43:5E:18:BA:B2:24:BE:76:17:52

Server Certificate:

[gahcep@localhost ~]$ sudo openssl x509 -noout -subject -issuer -dates \
            -serial -hash -fingerprint -in /etc/mysql/certs/server-cert.pem
subject= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=Primary
issuer= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec
notBefore=Jan  4 06:28:25 2013 GMT
notAfter=Nov 13 06:28:25 2022 GMT
serial=01
64626d57
SHA1 Fingerprint=39:9E:7A:9E:60:9A:58:68:81:2F:90:A5:9B:BF:E8:26:C5:9D:3C:AB

Directories Permissions:

On Master:

[gahcep@localhost ~]$ ls -la /etc/mysql/certs/
drwx------. 3 mysql  mysql  4096 Jan  3 23:49 .
drwx------. 3 mysql  mysql  4096 Jan  3 07:34 ..
-rw-rw-r--. 1 gahcep gahcep 1261 Jan  3 22:27 ca-cert.pem
-rw-rw-r--. 1 gahcep gahcep 1675 Jan  3 22:27 ca-key.pem
-rw-rw-r--. 1 gahcep gahcep 1135 Jan  3 22:28 server-cert.pem
-rw-rw-r--. 1 gahcep gahcep 1679 Jan  3 22:28 server-key.pem
-rw-rw-r--. 1 gahcep gahcep  976 Jan  3 22:28 server-req.pem

On Slave:

[gahcep@localhost ~]$ ls -la /etc/mysql/certs/
drwx------. 3 mysql mysql 4096 Jan  3 22:57 .
drwx------. 3 mysql mysql 4096 Jan  3 07:50 ..
-rw-r--r--. 1 root  root  1261 Jan  3 22:56 ca-cert.pem
-rw-r--r--. 1 root  root  1139 Jan  3 22:57 client-cert.pem
-rw-r--r--. 1 root  root  1675 Jan  3 22:57 client-key.pem

If someone can suggest the solution, I would really appreciate this!

Best Answer

Try making certificate files owned by mysql user and not readable by others.

You can try also with a fixed cipher:

mysql ... --ssl-cipher=AES128-SHA

And for the change master:

CHANGE MASTER TO ... MASTER_SSL_CIPHER='AES128-SHA'

Related Solutions

Mysql – How to debug a db memory-leak causing thesql to go before it’s own limits

...even surpassing it's theorically maximum possible allocation.

[OK] Maximum possible memory usage: 7.3G (46% of installed RAM)

There is not actually a way to calculate maximum possible memory usage for MySQL, because there is no cap on the memory it can request from the system.

The calculation done by mysqltuner.pl is only an estimate, based on a formula that doesn't take into account all possible variables, because if all possible variables were taken into account, the answer would always be "infinite." It's unfortunate that it's labeled this way.

Here is my theory on what's contributing to your excessive memory usage:

thread_cache_size       = 128

Given that your max_connections is set to 200, the value of 128 for thread_cache_size seems far too high. Here's what makes me think this might be contributing to your problem:

When a thread is no longer needed, the memory allocated to it is released and returned to the system unless the thread goes back into the thread cache. In that case, the memory remains allocated.

^{http://dev.mysql.com/doc/refman/5.6/en/memory-use.html}

If your workload causes even an occasional client thread to require a large amount of memory, those threads may be holding onto that memory, then going back to the pool and sitting around, continuing to hold on to memory they don't technically "need" any more, on the premise that holding on to the memory is less costly than releasing it if you're likely to need it again.

I think it's worth a try to do the following, after first making a note of how much memory MySQL is using at the moment.

Note how many threads are currently cached:

mysql> show status like 'Threads_cached';
+----------------+-------+
| Variable_name  | Value |
+----------------+-------+
| Threads_cached | 9     |
+----------------+-------+
1 row in set (0.00 sec)

Next, disable the thread cache.

mysql> SET GLOBAL thread_cache_size = 0;

This disables the thread cache, but the cached threads will stay in the pool until they're used one more time. Disconnect from the server, then reconnect and repeat.

mysql> show status like 'Threads_cached';

Continue disconnecting, reconnecting, and checking until the counter reaches 0.

Then, see how much memory MySQL is holding.

You may see a decrease, possibly significant, and then again you may not. I tested this on one of my systems, which had 9 threads in the cache. Once those threads had all been cleared out of the cache, the total memory held by MySQL did decrease... not by much, but it does illustrate that threads in the cache do release at least some memory when they are destroyed.

If you see a significant decrease, you may have found your problem. If you don't, then there's one more thing that needs to happen, and how quickly it can happen depends on your environment.

If the theory holds that the other threads -- the ones currently servicing active client connections -- have significant memory allocated to them, either because of recent work in their current client session or because of work requiring a lot of memory that was done by another connection prior to them languishing in the pool, then you won't see all of the potential reduction in memory consumption until those threads are allowed to die and be destroyed. Presumably your application doesn't hold them forever, but how long it will take to know for sure whether there's a difference will depend on whether you have the option of cycling your application (dropping and reconnecting the client threads) or if you'll have to just wait for them to be dropped and reconnected over time on their own.

But... it seems like a worthwhile test. You should not see a substantial performance penalty by setting thread_cache_size to 0. Fortunately, thread_cache_size is a dynamic variable, so you can freely change it with the server running.

Mongodb – Issues with self signed certificates, SSL and MongoDB

The answer to my question comes from an article I found this afternoon and I completely understand what I was doing wrong before. http://demarcsek92.blogspot.com/2014/05/mongodb-ssl-setup.html

I'll explain a little more because of the suggestion from Markus.

Originally I was generating client and server key/certification pairs from a root CA that I had created. I was concatenating (adding) the other certificates that I was making to the root CA and using this as the input for --sslCAFile. The issue I was creating was using my server.pem key/cert for each node and then trying to pass the client.pem file to the server for validation which I found out throws the generic "Self signed certificate" error. Apparently it happens whenever invalid certs/keys are passed to the server to create a connection.

(I'm going to gloss over how to make the server/client key/cert as it is in the article and I would like people to go there for more explanation as it is this gentleman's solution and not my own.)

Create server.key and server.crt
Use "type server.key server.crt > server.pem" (for Windows)

Create client.key and client.crt
Use "type client.key client.crt > client.pem"

For the server the setup will be:
--sslPEMKeyFile = server.pem
--sslCAFile = client.pem

For the client the setup will be:
--sslPEMKeyFile = client.pem
--sslCAFile = server.pem

This solution, as is, works for a single node and single client connection. I was able to trace the line with Wireshark and see that Mongo had stopped identifying itself and that when I drilled down into the packets using the Follow TCP Stream option the only information it was exposing was part of the subject used in creating my certificates (ok behavior).

Find "Client Hello" transmission from Mongo by: Right-clicking on one of tranmission messages > Decode as... > Transport tab > SSL

On the "Client Hello" transmission from Mongo: Right-click the packet > Follow TCP Stream > You should see the packet encrypted

NEXT STEP: My next step is to figure out how to setup SSL certificates for a 3 node replica set. I'm still trying to wrap my head around creating certificates for each node and how they can all be linked so it will allow for each to trust each other and a client connection.

(I'm going to look into the Stack Exchange rules but I was just thinking about chaining to the next topic with a link in this one)

Best Answer

Related Solutions

Mysql – How to debug a db memory-leak causing thesql to go before it’s own limits

Mongodb – Issues with self signed certificates, SSL and MongoDB

Related Question