I have a wildcard cert issued from rapidssl, using CN=*.mydomain.com. I have a web server and a mysql db server. The certs are working fine for web site access. Now I want to enable ssl for my app to mysql. I've enabled ssl in the mysql server without issue:
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
However, when I try to connect using the client/ssl, I get:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
This appears to be documented here:
http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
It says I can't use the same CN for the certs. I don't understand how a wildcard cert can be used then. Does that mean I also have to purchase host specific certs just for the mysql connection?
I don't work with SSL very much so I'm finding it difficult figuring out how this is supposed to be set up. Any pointers, even obvious ones, will likely help at this stage.
Running:
mysql Ver 15.1 Distrib 5.5.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.1
ubuntu 12.04
Make sure to use an absolute path to the ca-cert given for the --ssl-ca option.
Relative paths, or shell expansions (like ~) won't work and will produce ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation.
This isn't documented anywhere that I can see in the mysql man page, or in the SSL Command Options of the MySQL Manual (http://download.nust.na/pub6/mysql/doc/refman/5.1/en/ssl-options.html).
I have a similar issue, apparently from what i have read all the binary (precompiled) versions of MySQL Community Edition (maybe the same applies to MariaDB), comes bundled with yaSSL not openSSL existing some limitations and restrictions from that library. According to the manual of mysql (https://dev.mysql.com/doc/refman/5.6/en/secure-connection-options.html)
" yaSSL does not look in any directory and does not follow a chained certificate tree.yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option".
If you want to check if your MySQL instalation uses yaSSL or openSSL you can follow the steps in this forum (http://mysqlblog.fivefarmers.com/2013/05/14/how-to-tell-whether-mysql-server-uses-yassl-or-openssl/). It tells to see the status variable ‘
Rsa_public_key’ with ‘show status like ‘%rsa%’ if your MySQL installation comes with yaSSL the results must be empty because no such variable exists in distributions with yaSSL.
Other possible cause is that the hostname on your server doesn't match with the subject of the server certificate (argument of the --ssl-cert parameter) for that compare the output of the command
shell> hostname
with the DNS subject in the server certificate, you could get it using the next command (look the part where it says "X509v3 Subject Alternative Name:"):
shell> openssl x509 -in "your-server-certificate" -noout -text
If none of this work you could see the next page http://milcom.us/2012/11/02/encrypted-mysql-connections/
PS: English is not my native language, sorry for any grammatical error
I was having the following error:
[root#example ~]$ mysql
ERROR 2026 (HY000): SSL connection error
FIX that worked for me: Server and client "Common Name" in certificates must be different than CA's. After changing the CNs the error stopped; I verified the connection status:
mysql> status;
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
Source:
"Important Whatever method you use to generate the certificate and key
files, the Common Name value used for the server and client
certificates/keys must each differ from the Common Name value used for
the CA certificate. Otherwise, the certificate and key files will not
work for servers compiled using OpenSSL."
http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html
PS: I'm not using wildcard certificates and/or a third party CA, I'm creating my own signed certificates, which works OK for me: http://angelcool.net/sphpblog/comments.php?y=14&m=05&entry=entry140511-164525
MySQL doesn't work with wildcard certificates. There are a number of difficiencies with MySQL and SSL.
See my post on Getting MySQL server to run with SSL (and also the post that I refer to therein).
I connect from CentOS-7 version ojf 5.6.29-76.2-log Percona Server and Client
to CentOS-6 (Server version: 5.6.23-72.1-log Source distribution Percona), also get this issue.
Add the option will fix it:
--ssl-cipher=AES128-SHA
maybe anther ssl-cipher will also fixed.
Related
I'm currently using mod_dbd (module provided by Apache and manage DB connection)
but I can't find a way to connect to ssl enabled MySQL
I'm using ap_dbd_open function to get db handle
(https://github.com/apache/httpd/blob/trunk/modules/database/mod_dbd.c#L793)
Is there any way to connect to SSL enabled MySQL with mod_dbd module?
You can accomplish this using MySQL options files. First, make up a group name and add it to your DBDParams, e.g. DBDParams "host=somehostname dbname=apache user=apache pass=somepassword group=websvr"
Then, put a group with the same name in a MySQL options file with a colon-separated list of supported ciphers, like this:
[websvr]
ssl-cipher=ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA
Typically your options file will be /etc/mysql/my.cnf. Check your MySQL or MariaDB C-Connector documentation for where options files are located on your platform.
The example above has a short list of two ciphers, but if you have OpenSSL - you can get a full list of supported ciphers with: $ openssl ciphers
If you can connect to your databse interactively with $ mysql --ssl --host=somehostname, you can show the supported list of ciphers and the cipher currently being used with mysql> SHOW STATUS LIKE 'ssl_cipher%';
One word of caution: If your server is started as root, but then changes to an unprivileged user ID with the User Directive, don't choose the options file ~/.my.cnf because once the uid is changed your application will not be able to access /root/.my.cnf.
I set up a new MySQL instance on AWS RDS (Aurora). I added a user that requires SSL, and downloaded the combined ca bundle as described here and here: SSL Connection error, and I can connect via command line and confirm that the user is securely connected. I also turned off the SSL requirement for the user temporarily and was able to connect with MySQL Workbench with SSL turned off.
The problem is that both MySQL Workbench and my Rails app expect three separate files: SSL CA, SSL Cert, and SSL Key.
I'm sure there has to be an easy solution to it, but much Googling is not finding the answer, including this unanswered one on the AWS forums. I appreciate the help.
You don't need any other files. When it comes to the MySQL Workbench you need to provide "SSL CA File" and "Use SSL" ("Require" or "Require and Verify CA").
After that you can verify your connection by using the following command:
SHOW SESSION STATUS LIKE 'Ssl_cipher';
I have access to 2 MySQL Servers (one for production and one for development). I have the host, port, database, user, password and the CA Cert file for them. I could connect to both using mysql workbench and from the windows cmd. (Yes, I have to work on windows for now)
Now according to security requirements, I need to connect using protocol TLSv1.2 or TLSv1.2, and Cipher AES256 and SHA2. These are currently not enforced on the development server, but they are on the production, and I am not able to connect on the production right now.
I satisfy AES256 and TLSv1.1 requirement.
But how do I get my client to connect using SHA2? Both Workbench and CMD doesn't work when I specify a cipher using both AES256 and SHA256 or SHA384. But it works fine if I specify something like AES256-SHA. Does this mean that it is not supported and I need to update something? By default, it uses 'DHE-RSA-AES256-SHA'
If I try to set one of the AES256-SHA2 cipher on the production, I get the error:
ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use
If I don't specify any ciphers, I get the error
ERROR 2026 (HY000): SSL connection error: unknown error number
I've looked up multiple posts on stackoverflow, mysql devs and mysql bugs website, and none seem to address this.
I have to ultimately get this to work with Ms. Access, since MySQL will be the backend for it. I even tried by creating a system DSN, but the same error pops up.
Maybe the ODBC Connector doesn't support SHA2? I couldn't find anything on this anywhere.
I have the latest version of ODBC and MySQL Workbench.
Turns out, the community versions(free) of MySQL Workbench and ODBC are compiled using yaSSL while the commercial versions use OpenSSL. And SHA2 is not supported by yaSSL. Once I got the commercial versions, I was able to connect using SHA2.
I have an issue using MySQL on PHP 5.6, and after three days of debugging PHP, OpenSSL, MySQLnd Drivers on PHP and trying out the mysql_client on an Ubuntu 14.04 machine, I have come to a conclusion: Google Cloud SQL SSL certificates will not work on PHP 5.6 and above.
For a start, the Google Cloud is a great service, and modern cryptography is enforced throughout the Google ecosystem. However, I couldn't use it because of one little problem: Google Cloud SQL SSL Server certificates have impossible common names.
Google Cloud SQL Server (or peer) certificates have a Common Name (CN) that looks something like:
CN=project-name:instance-id
To make matters worse, starting from PHP 5.6, all encrypted client streams will go through mandatory peer certificate validation. (Link: OpenSSL changes in PHP 5.6.x). I use the PHP Data Objects (PDO) extension, which uses the native driver MySQLnd to handle all the MySQL business. This uses the native PHP streams to handle those connections.
I have been looking through the MySQLnd source code on PHP (Link: MYSQLnd Driver Code on GitHub), MySQLnd configuration options to try and disable the SSL peer verification code on this particular MySQLND. To no avail.
Therefore, what should I do if I need to use SSL for MySQL connections on PHP 5.6?
Your response is greatly appreciated!
Try connecting through the proxy if you have second generation sql, you might be able to connect pdo via the proxy with 127.0.0.1: https://cloud.google.com/sql/docs/compute-engine-access#gce-connect-proxy
Assuming you can convince MySQL that the hostname is should verify is in fact project-name:instance-id then I would have thought the hostname validation ought to succeed (though I agree that cert doesn't look great).
I tried the following from my Mac OS X workstation and it appeared to succeed, at least when using the mysql binary (I didn't try via PHP).
First I added a hosts entry on my machine included the colon as part of the name:
1.2.3.4 project-name:instance-id
After doing so I was able to connect successfully with the mysql (5.6.32) installed on my machine:
mysql -uroot -h "project-name:instance-id" --password \
--ssl \
--ssl-ca ~/Downloads/server-ca.pem \
--ssl-cert ~/Downloads/client-cert.pem \
--ssl-key ~/Downloads/client-key.pem \
--ssl-verify-server-cert
(When I ran that same command with the IP address instead, I received ERROR 2026 (HY000): SSL connection error: SSL certificate validation failure)
We've got a client application that connects to our online MySQL database (5.1.44-community-log) thru a ODBC connector (the server is a managed* dedicated webserver). This works very nice. However I can't get it to work using SSL. This is what I've done so far:
1. MySQL server
I've got the server manager* set up MySQL with SSL, this is 'proven by':
mysql> SHOW VARIABLES LIKE '%ssl%';
which results is this response:
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /***/mysql-cert/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /***/mysql-cert/server-cert.pem |
| ssl_cipher | |
| ssl_key | /***/mysql-cert/server-key.pem |
+---------------+---------------------------------+
Question: is the server configured right? I'm guessing it is...
2. Certificates
I've purchased real certificates (via my server manager). These are in the directory shown above. I've also downloaded the client-cert.pem, client-key.pem and ca-cert.pem from that directory.
3. MySQL user with REQUIRE [SSL|X509]
I've created a new user and then granted it access from any location (for testing) with SSL:
GRANT USAGE ON *.* TO 'somevaliduser'#'%' IDENTIFIED BY PASSWORD 'somevalidpass' REQUIRE X509
4. ODBC Client
I've (just downloaded and) installed : mysql-connector-odbc-5.1.8-winx64.msi (64-bit) as my machine is a 64-bit Windows 7 machine (so that's not what's wrong).
And I've created a User DSN configuring it like this (no options set on tabs), which shows it connecting to the server (however not using - nor requesting to do so - SSL) successfully (using some valid user which doesn't requires SSL):
So the connection is able to establish, now try using SSL.
This is configured like this, which is like I've read about on MySQL.com. So I'm not 100% sure the options set are right.
As you can see it results in a error HY000. Turning on tracing (within the ODBC configuration) also shows this error.
Can anyone give me a hint on how to make this work? Even if you know about just a part of the solution?
I solved the problem. Because I tried several things at a time I don't know what did the trick:
I've had the server manager re-create the certificates: I bought some but I found out that those couldn't be used to SSL-encrypt the connection. So for now I'm using OpenSSL certificates. I've had them re-create the certificates with 4) Create your client .... server. They must be unique. (as mentioned here) in mind.
I guess the checkbox 'Verify SSL Certificate' only applies when you buy a certificate and a thrid party service should check the validity of the certificate. Uncheck that box!
Only fill out the fields:
'SSL Key' (c:\path_to\client-key.pem)
'SSL Certificate' (c:\path_to\client-cert.pem)
'SSL Certificate Authority' (c:\path_to\ca-cert.pem)
Please note:
The port is still the same (for me).
The logs - as Michal Niklas proposed - didn't show any usefull information.
I've toggled on 'Use compression' which is said to improve performance.
I am using Ubuntu 12.04 LTS with MySQL
Ver 5.5.22-0ubuntu1 for debian-linux-gnu on x86_64 ((Ubuntu)) and OpenSSL OpenSSL 1.0.1 14 Mar 2012
I created the certificates following the tutorial on
http://www.thomas-krenn.com/de/wiki/MySQL_Verbindungen_mit_SSL_verschl%C3%BCsseln
(The tutorial is in German, but this is not important here).
When trying to connect with
mysql -u root -p --ssl-ca=/etc/mysql/ca-cert.pem --ssl-cert=/etc/mysql/client-cert.pem --ssl-key=/etc/mysql/client-key.pem --protocol=tcp
I always got an error message SSL connection error: protocol version mismatch
This lead me to the site
http://bugs.mysql.com/bug.php?id=64870
which confirms (for me) that there is a bug.
To make a long story short. In the end I created all certificates using my MacOS X Lion, copied the certificates to the server and client and it worked immediately!
When I got the Linux side working, Windows worked immediatly, too!
As mentioned above, you just have to set client-key, client-cert and ca-cert!