I'm using MySQL with SSL with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256.
I have compiled MySQL with openssl. I am able to connect to MySQL over
SSL with TLS1.0 ciphers. But when I tried to connect with TLS1.2 ciphers
connection fails with error.
MySQL server version :- 5.6.23-log Source distribution
Custom OpenSSL version :- OpenSSL 1.0.1j 15 Oct 2014
Java version :- 1.8.0_40
Error thrown with TLS1.2 cipher connect
> mysql -umysql --ssl-cipher=DHE-RSA-AES256-SHA256 -T -v
ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)
User time 0.00, System time 0.00
Maximum resident set size 2664, Integral resident set size 0
Non-physical pagefaults 777, Physical pagefaults 0, Swaps 0
Blocks in 0 out 0, Messages in 0 out 0, Signals 0
Voluntary context switches 2, Involuntary context switches 5
Snippet of my.cnf
[client]
default-character-set=utf8
ssl=ON
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/client-cert.pem
ssl-key=/home/mysql-cert/client-key.pem
[mysql]
default-character-set=utf8
[mysqld]
general_log=1
ssl-cipher=DHE-RSA-AES256-SHA256
ssl-cipher=AES256-SHA256
ssl-cipher=AES256-SHA
ssl-ca=/home/mysql-cert/ca.pem
ssl-cert=/home/mysql-cert/server-cert.pem
ssl-key=/home/mysql-cert/server-key.pem
MySQL prompt snipeet with TLS1.0 cipher connected
mysql> \s
--------------
mysql Ver 14.14 Distrib 5.6.23, for Linux (x86_64) using EditLine wrapper
Connection id: 6
Current database:
Current user: root#localhost
SSL: Cipher in use is AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.6.23-log Source distribution
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /tmp/mysql.sock
Uptime: 1 hour 32 min 40 sec
Threads: 1 Questions: 11 Slow queries: 0 Opens: 67 Flush tables: 1
Open tables: 60 Queries per second avg: 0.001
--------------
mysql> SHOW STATUS LIKE 'ssl%';
+--------------------------------+--------------------------+
| Variable_name | Value |
+--------------------------------+--------------------------+
| Ssl_accept_renegotiates | 0 |
| Ssl_accepts | 6 |
| Ssl_callback_cache_hits | 0 |
| Ssl_cipher | AES256-SHA |
| Ssl_cipher_list | AES256-SHA |
| Ssl_client_connects | 0 |
| Ssl_connect_renegotiates | 0 |
| Ssl_ctx_verify_depth | 18446744073709551615 |
| Ssl_ctx_verify_mode | 5 |
| Ssl_default_timeout | 7200 |
| Ssl_finished_accepts | 3 |
| Ssl_finished_connects | 0 |
| Ssl_server_not_after | Jan 23 10:29:20 2025 GMT |
| Ssl_server_not_before | Mar 17 10:29:20 2015 GMT |
| Ssl_session_cache_hits | 0 |
| Ssl_session_cache_misses | 0 |
| Ssl_session_cache_mode | SERVER |
| Ssl_session_cache_overflows | 0 |
| Ssl_session_cache_size | 128 |
| Ssl_session_cache_timeouts | 0 |
| Ssl_sessions_reused | 0 |
| Ssl_used_session_cache_entries | 0 |
| Ssl_verify_depth | 18446744073709551615 |
| Ssl_verify_mode | 5 |
| Ssl_version | TLSv1 |
+--------------------------------+--------------------------+
25 rows in set (0.00 sec)
mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------------+
| Variable_name | Value |
+---------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /home/mysql-cert/ca.pem |
| ssl_capath | |
| ssl_cert | /home/mysql-cert/server-cert.pem |
| ssl_cipher | AES256-SHA |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /home/mysql-cert/server-key.pem |
+---------------+----------------------------------+
9 rows in set (0.00 sec)
MySQL compiled as
> cmake . -DCMAKE_PREFIX_PATH=/opt/scr-openssl/ssl/
-DWITH_SSL=/opt/scr-openssl/ssl/
-DWITH_OPENSSL=/opt/scr-openssl/ssl/bin/
-DWITH_OPENSSL_INCLUDES=/opt/scr-openssl/ssl/include/
-DWITH_OPENSSL_LIBS=/opt/scr-openssl/ssl/lib/ -DENABLE_DOWNLOADS=1
>make
>make install
Please help me out to configure MySQL to work with TLS1.2 cipher.
MySQL v5.6.23 can only support TLS 1.0. To get support for TLS 1.2, you need to upgrade to a later MySQL version and ensure that both client and server have been compiled to use OpenSSL.
You might be able to use MySQL 5.6.46, according to the MySQL documentation.
When compiled using OpenSSL 1.0.1 or higher, MySQL supports the TLSv1, TLSv1.1, and TLSv1.2 protocols as of MySQL 5.6.46, and TLS1v1 prior to 5.6.46.
Related
I need to download locally (macOS BigSur) a large dataset (millions of rows) from an AWS RDS database (MySQL 5.7).
Thanks to this great post I am able to connect and download on my machine some data into a csv file:
mysql --host=$HOST --user $USER --password=$PASSWORD --database=$DATABASE --port=$PORT --batch \
--quick -e "$QUERY" \
| sed $'s/\\t/","/g;s/^/"/;s/$/"/;s/\\n//g' > $FILE_PATH
However, if I extend my query to thousands of records, after few seconds the process stops and the csv ends up truncated (literally the last written row is truncated half way), so I assume there is some kind of stream or timeout or buffer issue.
mysql> SHOW VARIABLES LIKE '%timeout';
+-----------------------------+----------+
| Variable_name | Value |
+-----------------------------+----------+
| connect_timeout | 10 |
| delayed_insert_timeout | 300 |
| have_statement_timeout | YES |
| innodb_flush_log_at_timeout | 1 |
| innodb_lock_wait_timeout | 50 |
| innodb_rollback_on_timeout | OFF |
| interactive_timeout | 28800 |
| lock_wait_timeout | 31536000 |
| net_read_timeout | 30 |
| net_write_timeout | 60 |
| rpl_stop_slave_timeout | 31536000 |
| slave_net_timeout | 60 |
| wait_timeout | 28800 |
+-----------------------------+----------+
Since the command does stops after ~10sec I assume it depends on the connect_timeout value. However I tried setting it with SET ##GLOBAL.connect_timeout=7200 but I get a permission error. I tried adding the --connect-timeout=7200 parameter on the command, but it does not work (which strikes me the most).
Running the query (limited to ~250k rows) on my client (SequelAce) it runs fine, so I can exclude issues with the data or the the SQL script itself.
Any ideas or suggestions?
Are there better tools for the job maybe?
Since I upgraded to LEAP 15.1 I can not run "old" C applications executing mysql_query() function.
I got:
MySQL client version: 10.4.3
Tentative de connexion... [ok]
(01064)Erreur lors de l'exécution d'une requête SQL:
With no message concerning the mysql_error() function.
None of the applications done previously are still working :{
I use libmariadb-devel 3.1.2-lp151.3.3.1 (it worked with 3.0.3) it started to stop working with 3.0.7.
Try to downgrade to 3.0.3 but this version in no longer "reachable" from the repository of LEAP 15.1.
if ( mysql_query(
connexion,
"SELECT Nom,CodePostal
FROM CodesPostaux,Localités
WHERE idCodePostal=Ref_CodesPostaux ORDER BY CodePostal"))
{
wprintf(L"(%05d) ...: %s !!\n",
mysql_errno(connexion),
mysql_error(connexion));
exit(1);
}
I may have the result set displayed as usual before upgrading to 15.1 (to libmariadb-3.3.1).
This is the default charset for the server:
default-character-set = utf8
This statement (code) worked perfectly BEFORE the update.
I tried to have more details concerning the 01064 error with mysql_sqlstate() function... it gives 42000...
MariaDB [CSSMPoste]> select Nom, CodePostal FROM CodesPostaux, Localités WHERE idCodePostal = Ref_CodesPostaux ORDER BY CodePostal ;
+-------------------+------------+
| Nom | CodePostal |
+-------------------+------------+
| Liège | 4000 |
| Rocourt | 4000 |
| Cointe | 4000 |
| Wandre | 4020 |
| Vottem | 4041 |
| Milmort | 4041 |
| Boncelles | 4100 |
| Seraing | 4100 |
| Jemeppe-sur-Meuse | 4101 |
| Flémalle | 4400 |
| Ans | 4430 |
| Alleur | 4432 |
| Grâce-Hollogne | 4460 |
| Amel | 4770 |
+-------------------+------------+
14 rows in set (0.01 sec)
Following documentation on how to set up a MariaDB Galera cluster, I simply created the proper config files and started my primary db server with the galera_new_cluster command (I'm running RHEL7). According to the documentation, at that point you should be able to run:
SHOW STATUS LIKE 'wsrep_cluster_size';
And see
+--------------------+-------+
| Variable_name | Value |
+--------------------+-------+
| wsrep_cluster_size | 1 |
+--------------------+-------+
However, I see wsrep_cluster_size of zero with these other relevant values:
MariaDB [(none)]> show global status like 'wsrep%';
+--------------------------+----------------------+
| Variable_name | Value |
+--------------------------+----------------------+
| wsrep_cluster_conf_id | 18446744073709551615 |
| wsrep_cluster_size | 0 |
| wsrep_cluster_state_uuid | |
| wsrep_cluster_status | Disconnected |
| wsrep_connected | OFF |
| wsrep_local_bf_aborts | 0 |
| wsrep_local_index | 18446744073709551615 |
| wsrep_provider_name | |
| wsrep_provider_vendor | |
| wsrep_provider_version | |
| wsrep_ready | OFF |
| wsrep_thread_count | 0 |
+--------------------------+----------------------+
My settings in /etc/my.cnf.d/server.cnf are:
bind_address=172.28.7.15
wsrep_provider=/usr/lib64/galera/libgalera_smm.so
wsrep_cluster_name="galera_cluster"
wsrep_cluster_address="gcomm://172.28.7.15,172.28.7.18,172.28.7.19"
wsrep_node_address=172.28.7.15
wsrep_node_name='node01'
wsrep_slave_threads=1
wsrep_certify_nonPK=1
wsrep_max_ws_rows=131072
wsrep_max_ws_size=1073741824
wsrep_debug=1
wsrep_convert_LOCK_to_trx=0
wsrep_retry_autocommit=1
wsrep_auto_increment_control=1
wsrep_drupal_282555_workaround=0
wsrep_causal_reads=0
wsrep_notify_cmd=
wsrep_sst_method=rsync
And I've confirmed that the variables are loaded using SHOW VARIABLES.
I feel like I'm following the documentation exactly and it's just not showing what I expect. The only warnings in logs are warnings about SSL not being set up - is that required?
You mentioned you didn't see any WSREP logs in /var/log/mariadb/mariadb.log. Perhaps wsrep_on option is set to OFF. Try setting it to ON.
Lots of documentation assumes MariaDB Galera 10.0. But in 10.1 and higher, wsrep_on defaults to OFF.
Default Value: OFF (>= MariaDB 10.1), ON (<= MariaDB Galera Cluster 10.0)
https://mariadb.com/kb/en/mariadb/galera-cluster-system-variables/#wsrep_on
For Centos 7, edit your /etc/my.cnf file and
setenforce 0
write it on your all nodes.
Then start your cluster and connect nodes.
I'm running a dedicated server with 16Go or RAM and 1Go of SWAP.
My real time statistics on the server show that more than half of my ram and 99% of my SWAP is used my :
/usr/libexec/mysqld --basedir?/usr --datadir?/home/mysql --user?mysql --log-error?/var/log/mysqld.log --pid-file?/var/run/mysqld/mysqld.pid --socket?/
It keeps increasing with time and even restarting mysql won't change it
When I do a
mysql> SHOW PROCESSLIST
I get as result
+------+-----------+-----------------+-------+---------+------+-------+------------------+
| Id | User | Host | db | Command | Time | State | Info |
+------+-----------+-----------------+-------+---------+------+-------+------------------+
| 7 | root | localhost:51312 | mysql | Sleep | 5 | | NULL |
| 7156 | mailadmin | localhost:58878 | mail | Sleep | 3406 | | NULL |
| 9302 | mailadmin | localhost:32868 | mail | Sleep | 749 | | NULL |
| 9305 | mailadmin | localhost | mail | Sleep | 747 | | NULL |
| 9802 | mailadmin | localhost | mail | Sleep | 9 | | NULL |
| 9803 | mailadmin | localhost | mail | Sleep | 9 | | NULL |
| 9807 | mailadmin | localhost | mail | Sleep | 9 | | NULL |
| 9808 | mailadmin | localhost | mail | Sleep | 9 | | NULL |
| 9825 | root | localhost | NULL | Query | 0 | NULL | SHOW PROCESSLIST |
+------+-----------+-----------------+-------+---------+------+-------+------------------+
9 rows in set (0.00 sec)
and a
free -m -l
shows me :
total used free shared buffers cached
Mem: 16094 14431 1663 0 1318 5404
Low: 16094 14431 1663
High: 0 0 0
-/+ buffers/cache: 7708 8385
Swap: 1021 996 25
I have no idea on how to deal with this. It seems like I will reach the RAM limit of the server and it will probably cause slowness.
Thank you in advance, I stay here, ready to provide you with more informations.
I think you are being spammed. Your mail server is taking too much mails or sending. It is better to check your incoming/outgoing mails.
And will you consider setup Spamassasin/Amavisd or something like that ? I think if you turn of your mail server you will see that it lowers and it will be verified that its Mail server by spams.
Your statement that "restarting mysql won't change it" seems to imply that it's not mysqld that's using all the memory.
A rudimentary way to find processes that are using the most memory, you could run htop and sort by one of the memory columns, like VIRT. It may not be just one process, it could be whole slew of processes each using memory. (Some of the memory reported is shared, you can't just add up the memory for all the mysql processes... in htop, use keypresses F5 and H to get a "tree view".
In this example, mysql is using 11G, 73% of available memory. That's expected, because that's what we allocated, the bulk of that is allocated to the InnoDB buffer pool. (dedicated MySQL server)
PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command
19510 mysql 20 0 11.0G 5849M 3808 S 16.0 73.1 81h33:04 /opt/mysql/bin/mysqld --basedir=/opt/mysql --datadir=/opt/mysql_data --user=mysql --log-error=/
1016 syslog 20 0 220M 940 580 S 0.0 0.0 5:28.12 rsyslogd -c4
1651 root 20 0 145M 1100 784 S 0.0 0.0 8:26.81 /usr/sbin/automount
1243 root 20 0 98496 1348 1036 S 0.0 0.0 3h19:31 /usr/sbin/vmtoolsd
13816 root 20 0 90868 1340 404 S 0.0 0.0 0:00.02 sshd: xxxxxx [priv]
13905 mysql 20 0 81548 1120 428 S 0.0 0.0 0:00.02 su - mysql
1674 Debian-e 20 0 64724 408 332 S 0.0 0.0 0:09.08 /usr/sbin/exim4 -bd -q30m
1030 root 20 0 63256 472 360 S 0.0 0.0 1:32.65 /usr/sbin/sshd
1 root 20 0 61840 996 472 S 0.0 0.0 1:05.14 /sbin/init
(There's probably a lot better ways to see what's using memory, but htop does a pretty good of showing me processes that are running.)
I am trying to load a file in to database using Ruby. Its a large file about 15 Mb ... it copied the records properly for some time .... but after copying few records, there is no error but it does not insert records in to database ......... and when I connect to Msql prompt in a separate console ... i get an error :
mysql> desc testdb2.test_descriptions;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id: 52
after this i am able to connect to Mysql database ....... and it is now again the scripts starts writing the records to the database .....
Is there any way to maintain the connection with the database while the app is running ?
I am not sure if its a kind of time out issue or something .... please correct me ....
def simulate_datasets
Log.initialize
data_folders = ["Jun_06_2013"];
data_folders.each do |data_folder|
add(data_folder);
end
render :text => Log.dump
end
def add (data_folder)
#dataset = Dataset.initialize
#dataset.created_at=Date.new(2013,06,06)
#dataset.save
current_root = "script/datasets/"+data_folder+"/"
strip_string = "/development/A/"
population_time = {}
total_time = 0
clusters = Cluster.find(:all, :order=>"created_at DESC");
if clusters.empty?
Log.info "No Clusters found"
Cluster.initialize
clusters = Cluster.find(:all, :order=>"created_at DESC");
end
clusters.each do |cluster|
cluster_path = cluster.path
root = current_root + cluster.name+'/'
total_time += populate_file_or_folder(root+"fileListWithMLintMetrics.txt", cluster_path)
end
end
I am using populate_file_or_folder method to populate to the database
mysql> show variables like '%time%';
+----------------------------+-------------------+
| Variable_name | Value |
+----------------------------+-------------------+
| connect_timeout | 10 |
| datetime_format | %Y-%m-%d %H:%i:%s |
| delayed_insert_timeout | 300 |
| flush_time | 0 |
| innodb_lock_wait_timeout | 50 |
| innodb_rollback_on_timeout | OFF |
| interactive_timeout | 28800 |
| lc_time_names | en_US |
| long_query_time | 10.000000 |
| net_read_timeout | 30 |
| net_write_timeout | 60 |
| slave_net_timeout | 3600 |
| slow_launch_time | 2 |
| system_time_zone | EDT |
| table_lock_wait_timeout | 50 |
| time_format | %H:%i:%s |
| time_zone | SYSTEM |
| timed_mutexes | OFF |
| timestamp | 1372869659 |
| wait_timeout | 28800 |
+----------------------------+-------------------+
20 rows in set (0.00 sec)
def self.populate_file_or_folder(fileName, cluster_path)
counter = 0
# Reading directly from the CSV library
CSV.foreach(fileName) do |line|
counter = counter+1
completePath = line[0]
completePath = cluster_path+ '/'+completePath
newStructure = FileOrFolder.new
newStructure.fullpath = path
pathbits = path.split('/')
newStructure.name = pathbits.last
newStructure.save
end
end