Google Cloud SQL SSL fails peer certificate validation - mysql

I have an issue using MySQL on PHP 5.6, and after three days of debugging PHP, OpenSSL, MySQLnd Drivers on PHP and trying out the mysql_client on an Ubuntu 14.04 machine, I have come to a conclusion: Google Cloud SQL SSL certificates will not work on PHP 5.6 and above.
For a start, the Google Cloud is a great service, and modern cryptography is enforced throughout the Google ecosystem. However, I couldn't use it because of one little problem: Google Cloud SQL SSL Server certificates have impossible common names.
Google Cloud SQL Server (or peer) certificates have a Common Name (CN) that looks something like:
CN=project-name:instance-id
To make matters worse, starting from PHP 5.6, all encrypted client streams will go through mandatory peer certificate validation. (Link: OpenSSL changes in PHP 5.6.x). I use the PHP Data Objects (PDO) extension, which uses the native driver MySQLnd to handle all the MySQL business. This uses the native PHP streams to handle those connections.
I have been looking through the MySQLnd source code on PHP (Link: MYSQLnd Driver Code on GitHub), MySQLnd configuration options to try and disable the SSL peer verification code on this particular MySQLND. To no avail.
Therefore, what should I do if I need to use SSL for MySQL connections on PHP 5.6?
Your response is greatly appreciated!

Try connecting through the proxy if you have second generation sql, you might be able to connect pdo via the proxy with 127.0.0.1: https://cloud.google.com/sql/docs/compute-engine-access#gce-connect-proxy

Assuming you can convince MySQL that the hostname is should verify is in fact project-name:instance-id then I would have thought the hostname validation ought to succeed (though I agree that cert doesn't look great).
I tried the following from my Mac OS X workstation and it appeared to succeed, at least when using the mysql binary (I didn't try via PHP).
First I added a hosts entry on my machine included the colon as part of the name:
1.2.3.4 project-name:instance-id
After doing so I was able to connect successfully with the mysql (5.6.32) installed on my machine:
mysql -uroot -h "project-name:instance-id" --password \
--ssl \
--ssl-ca ~/Downloads/server-ca.pem \
--ssl-cert ~/Downloads/client-cert.pem \
--ssl-key ~/Downloads/client-key.pem \
--ssl-verify-server-cert
(When I ran that same command with the IP address instead, I received ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure)

Related

Connecting to MySQL on AWS RDS with SSL pem keys

I set up a new MySQL instance on AWS RDS (Aurora). I added a user that requires SSL, and downloaded the combined ca bundle as described here and here: SSL Connection error, and I can connect via command line and confirm that the user is securely connected. I also turned off the SSL requirement for the user temporarily and was able to connect with MySQL Workbench with SSL turned off.
The problem is that both MySQL Workbench and my Rails app expect three separate files: SSL CA, SSL Cert, and SSL Key.
I'm sure there has to be an easy solution to it, but much Googling is not finding the answer, including this unanswered one on the AWS forums. I appreciate the help.
You don't need any other files. When it comes to the MySQL Workbench you need to provide "SSL CA File" and "Use SSL" ("Require" or "Require and Verify CA").
After that you can verify your connection by using the following command:
SHOW SESSION STATUS LIKE 'Ssl_cipher';

MySQL/VB.NET - An address incompatible with the requested protocol was used

I have a trivial VB script which I am using to connect to a MySQL database on a Windows Server (2012 R2).
It's all super simple, out of the box "connect to MySql example" stuff.
I have verified that MySQL is listening on all local IPV4 addresses. I can connect with MySQL workbench with the same parameters. Yet I get a weird error when connecting via my program:
An address incompatible with the requested protocol was used
My connect string is as follows:
"server=127.0.0.1;database=test;uid=xx;pwd=xx"
It appears the connection tries to use IPV6 when connecting. How is this possible?
I suspect some kind of firewall is modifying or blocking my network connection, but it is a "new" machine for me and I don't know what's installed.
The problem was due to an old MySQL Connector DLL (MySQL.Data.dll) version which was either incompatible with Windows (hence the networking error message) or the version of MySQL I'm running. After upgrading the dll, the connection worked properly.
This may help out someone who has a similar problem, as the error is highly misleading.

Connect to MySQL using SHA2

I have access to 2 MySQL Servers (one for production and one for development). I have the host, port, database, user, password and the CA Cert file for them. I could connect to both using mysql workbench and from the windows cmd. (Yes, I have to work on windows for now)
Now according to security requirements, I need to connect using protocol TLSv1.2 or TLSv1.2, and Cipher AES256 and SHA2. These are currently not enforced on the development server, but they are on the production, and I am not able to connect on the production right now.
I satisfy AES256 and TLSv1.1 requirement.
But how do I get my client to connect using SHA2? Both Workbench and CMD doesn't work when I specify a cipher using both AES256 and SHA256 or SHA384. But it works fine if I specify something like AES256-SHA. Does this mean that it is not supported and I need to update something? By default, it uses 'DHE-RSA-AES256-SHA'
If I try to set one of the AES256-SHA2 cipher on the production, I get the error:
ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use
If I don't specify any ciphers, I get the error
ERROR 2026 (HY000): SSL connection error: unknown error number
I've looked up multiple posts on stackoverflow, mysql devs and mysql bugs website, and none seem to address this.
I have to ultimately get this to work with Ms. Access, since MySQL will be the backend for it. I even tried by creating a system DSN, but the same error pops up.
Maybe the ODBC Connector doesn't support SHA2? I couldn't find anything on this anywhere.
I have the latest version of ODBC and MySQL Workbench.
Turns out, the community versions(free) of MySQL Workbench and ODBC are compiled using yaSSL while the commercial versions use OpenSSL. And SHA2 is not supported by yaSSL. Once I got the commercial versions, I was able to connect using SHA2.

Using SSL with command-line Flywaydb ( flyway ) to deploy DB changes

I'm working on a proof of concept to deploy using flyway's command-line tool from a centralized server to deploy to multiple database platforms. (MySQL, Postgres, and SQL Server)
I'm able to deploy successfully without SSL, however it is using unencrypted host information such as logins/passwords/ports to the destination Database Server. My concern is there's a chance the un-encrypted traffic could be seen.
Does anyone have experience with the flyway command line tool using SSL to deploy to:
MySQL
SQL Server
I did not see any information in the documentation unless I missed it.
Thanks for any help and suggestions!
In the flyway examples in flyway.conf it shows how to add additional values to the jdbc url for example
# MySQL : jdbc:mysql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
# PostgreSQL : jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
# Redshift : jdbc:postgresql://<host>:<port>/<database>?<key1>=<value1>&<key2>=<value2>...
So for Redshift/Postgres for example you can include the ssl=true flag
flyway.url=jdbc:postgresql://yourserver:5439/dbname?ssl=true
You need to add the public key that the DB server key was signed with to your hosts trust store (for Redshift see http://docs.aws.amazon.com/redshift/latest/mgmt/connecting-ssl-support.html for details on that), e.g
${JAVA_HOME}/bin/keytool -keystore ${JAVA_HOME}/lib/security/cacerts -import -alias <alias> -file <certificate_filename>
I then had to hack the flyway startup script /flyway to include the truststore and password in the JAVA_ARGS (it probably should have these as variables) e.g
JAVA_ARGS="-Djava.security.egd=file:/dev/../dev/urandom -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit"
For MySQL I used the following URL to connect using SSL.
jdbc:mysql://hostname:3306/wpastudy?useSSL=true
Note the useSSL=true parameter.

MySQL and SSL connection failing ERROR 2026 (HY000)

I have a wildcard cert issued from rapidssl, using CN=*.mydomain.com. I have a web server and a mysql db server. The certs are working fine for web site access. Now I want to enable ssl for my app to mysql. I've enabled ssl in the mysql server without issue:
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
However, when I try to connect using the client/ssl, I get:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
This appears to be documented here:
http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
It says I can't use the same CN for the certs. I don't understand how a wildcard cert can be used then. Does that mean I also have to purchase host specific certs just for the mysql connection?
I don't work with SSL very much so I'm finding it difficult figuring out how this is supposed to be set up. Any pointers, even obvious ones, will likely help at this stage.
Running:
mysql Ver 15.1 Distrib 5.5.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.1
ubuntu 12.04
Make sure to use an absolute path to the ca-cert given for the --ssl-ca option.
Relative paths, or shell expansions (like ~) won't work and will produce ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation.
This isn't documented anywhere that I can see in the mysql man page, or in the SSL Command Options of the MySQL Manual (http://download.nust.na/pub6/mysql/doc/refman/5.1/en/ssl-options.html).
I have a similar issue, apparently from what i have read all the binary (precompiled) versions of MySQL Community Edition (maybe the same applies to MariaDB), comes bundled with yaSSL not openSSL existing some limitations and restrictions from that library. According to the manual of mysql (https://dev.mysql.com/doc/refman/5.6/en/secure-connection-options.html)
" yaSSL does not look in any directory and does not follow a chained certificate tree.yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option".
If you want to check if your MySQL instalation uses yaSSL or openSSL you can follow the steps in this forum (http://mysqlblog.fivefarmers.com/2013/05/14/how-to-tell-whether-mysql-server-uses-yassl-or-openssl/). It tells to see the status variable ‘
Rsa_public_key’ with ‘show status like ‘%rsa%’ if your MySQL installation comes with yaSSL the results must be empty because no such variable exists in distributions with yaSSL.
Other possible cause is that the hostname on your server doesn't match with the subject of the server certificate (argument of the --ssl-cert parameter) for that compare the output of the command
shell> hostname
with the DNS subject in the server certificate, you could get it using the next command (look the part where it says "X509v3 Subject Alternative Name:"):
shell> openssl x509 -in "your-server-certificate" -noout -text
If none of this work you could see the next page http://milcom.us/2012/11/02/encrypted-mysql-connections/
PS: English is not my native language, sorry for any grammatical error
I was having the following error:
[root#example ~]$ mysql
ERROR 2026 (HY000): SSL connection error
FIX that worked for me: Server and client "Common Name" in certificates must be different than CA's. After changing the CNs the error stopped; I verified the connection status:
mysql> status;
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
Source:
"Important Whatever method you use to generate the certificate and key
files, the Common Name value used for the server and client
certificates/keys must each differ from the Common Name value used for
the CA certificate. Otherwise, the certificate and key files will not
work for servers compiled using OpenSSL."
http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html
PS: I'm not using wildcard certificates and/or a third party CA, I'm creating my own signed certificates, which works OK for me: http://angelcool.net/sphpblog/comments.php?y=14&m=05&entry=entry140511-164525
MySQL doesn't work with wildcard certificates. There are a number of difficiencies with MySQL and SSL.
See my post on Getting MySQL server to run with SSL (and also the post that I refer to therein).
I connect from CentOS-7 version ojf 5.6.29-76.2-log Percona Server and Client
to CentOS-6 (Server version: 5.6.23-72.1-log Source distribution Percona), also get this issue.
Add the option will fix it:
--ssl-cipher=AES128-SHA
maybe anther ssl-cipher will also fixed.