Menu
I am working with MySQL and generated the certificates to use with MySQL to enable SSL.
Here are SSL configs:
mysql> show variables like '%ssl%';
+---------------+----------------------------+
| Variable_name | Value |
+---------------+----------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/server-cert.pem |
| ssl_cipher | |
| ssl_key | /etc/mysql/server-key.pem |
+---------------+----------------------------+
7 rows in set (0.00 sec)
It seems to be working fine and looks like I did it well with applying the certificates with the MySQL server.
The problem exists with creating connection to MySQL server via remote host.
mysql -u app1 -p -h 192.168.33.131 --ssl --ssl-capath=<path>/ssl/ --ssl-ca=<path>/ca-cert.pem --ssl-cert=<path>/client-cert.pem --ssl-key=<path>/client-key.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: protocol version mismatch
Seems to be having some issues with certificates or may be something else.
Environment:
OS: Ubuntu 14.04
MySQL: 5.5.41
OpenSSL: OpenSSL 1.0.1f 6 Jan 2014
729
right-click on the particular MySQL instance and select "Edit Connection" Select the "SSL" tab under Connection Method. Select the drop-down for the "Use SSL" and choose "If Available" instead of "Required". Click the "Test Connection" button at the lower right connection to make sure you can now connect without errors ...
OFFICIAL SOLUTION ACCORDING TO MYSQL WEBSITE Run this in the session you want to verify: SELECT * FROM performance_schema. session_status WHERE VARIABLE_NAME IN ('Ssl_version','Ssl_cipher'); If you get the cipher and version strings, then the connection is encrypted.
11: MySQL client programs support an --ssl-mode option that enables you to specify the security state of the connection to the server. The --ssl-mode option comprises the capabilities of the client-side --ssl and --ssl-verify-server-cert options.
https://bugs.mysql.com/bug.php?id=64870
At the bottom:
If you're using 'openssl req -newkey rsa:2048 ...' to generate keys, please be advised that openssl 1.0 and newer now stores private keys in the PKCS#8 format instead of PKCS#1.
Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. [Steve Henson]
These keys will have a PEM header such as:
-----BEGIN PRIVATE KEY-----If MySQL is compiled with YaSSL as its SSL implementation (which I believe is the default), these keys won't load and MySQL will complain at startup: [Warning] Failed to setup SSL [Warning] SSL error: Unable to get private key
YaSSL expects RSA private keys in the PKCS#1 format, with the PEM header:
-----BEGIN RSA PRIVATE KEY-----Various "advices" online seem to suggest that you can change the PEM header and footer of those PKCS#8 private keys to get them to work with MySQL/yaSSL. That will indeed stop MySQL from complaining at startup, but unfortunately SSL connections against MySQL will still fail with something like:
**ERROR 2026 (HY000): SSL connection error: protocol version mismatch**To fix this, convert the key to the older PKCS#1 RSAPrivateKey format using 'openssl rsa'.
$ openssl rsa -in key-from-openssl-1.pem -out pkcs1-yassl-compatible-key.pem
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
