Tony Mountifield
2015-Aug-17 15:57 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections. If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again. I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn't matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl. When it works with the old libssl, I can confirm that SSL is in use: mysql> \s -------------- mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1 Connection id: 2 Current database: Current user: root at localhost SSL: Cipher in use is DHE-RSA-AES256-SHA The error with the new libssl looks like this: [root at hostname ~]# mysql ERROR 2026 (HY000): SSL connection error Has anyone else come across this? Is it a bug in SSL? Or a new restriction? Do I need to regenerate my certificates using the new openssl? Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org
Johnny Hughes
2015-Aug-17 16:19 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
On 08/17/2015 10:57 AM, Tony Mountifield wrote:> I recently applied updates to a CentOS 5 box running MySQL. I've discovered > that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL > connections. > > If I rename /lib/libssl.so.0.9.8e and replace it with the old version of > that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next > oldest, but it was handy), then SSL connection to MySQL works again. > > I then performed cross-checks using the server with new libssl and the > client with old, and then vice versa. What I found was that it didn't > matter whether the server was started with the old libssl or the new libssl. > In both cases, the mysql client would only connect using the old libssl, > and not when using the new libssl. > > When it works with the old libssl, I can confirm that SSL is in use: > > mysql> \s > -------------- > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1 > > Connection id: 2 > Current database: > Current user: root at localhost > SSL: Cipher in use is DHE-RSA-AES256-SHA > > The error with the new libssl looks like this: > > [root at hostname ~]# mysql > ERROR 2026 (HY000): SSL connection error > > Has anyone else come across this? Is it a bug in SSL? Or a new restriction? > Do I need to regenerate my certificates using the new openssl? > > Cheers > Tony >You should now be using mysql55 on CentOS-5, not mysql-5.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150817/9eab6191/attachment-0001.sig>
Johnny Hughes
2015-Aug-17 17:18 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
On 08/17/2015 11:19 AM, Johnny Hughes wrote:> On 08/17/2015 10:57 AM, Tony Mountifield wrote: >> I recently applied updates to a CentOS 5 box running MySQL. I've discovered >> that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL >> connections. >> >> If I rename /lib/libssl.so.0.9.8e and replace it with the old version of >> that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next >> oldest, but it was handy), then SSL connection to MySQL works again. >> >> I then performed cross-checks using the server with new libssl and the >> client with old, and then vice versa. What I found was that it didn't >> matter whether the server was started with the old libssl or the new libssl. >> In both cases, the mysql client would only connect using the old libssl, >> and not when using the new libssl. >> >> When it works with the old libssl, I can confirm that SSL is in use: >> >> mysql> \s >> -------------- >> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1 >> >> Connection id: 2 >> Current database: >> Current user: root at localhost >> SSL: Cipher in use is DHE-RSA-AES256-SHA >> >> The error with the new libssl looks like this: >> >> [root at hostname ~]# mysql >> ERROR 2026 (HY000): SSL connection error >> >> Has anyone else come across this? Is it a bug in SSL? Or a new restriction? >> Do I need to regenerate my certificates using the new openssl? >> >> Cheers >> Tony >> > > You should now be using mysql55 on CentOS-5, not mysql-5.0In case you did not understand my post, here is how one is supposed to move from mysql-5.0 to mysql55 and why: https://rhn.redhat.com/errata/RHEA-2013-1329.html https://rhn.redhat.com/errata/RHEA-2013-1330.html Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150817/7a1ef6f1/attachment-0001.sig>
Tony Mountifield
2015-Aug-18 08:27 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
In article <55D20981.7030902 at centos.org>, Johnny Hughes <johnny at centos.org> wrote:> On 08/17/2015 10:57 AM, Tony Mountifield wrote: > > I recently applied updates to a CentOS 5 box running MySQL. I've discovered > > that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL > > connections. > > > > If I rename /lib/libssl.so.0.9.8e and replace it with the old version of > > that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next > > oldest, but it was handy), then SSL connection to MySQL works again. > > > > I then performed cross-checks using the server with new libssl and the > > client with old, and then vice versa. What I found was that it didn't > > matter whether the server was started with the old libssl or the new libssl. > > In both cases, the mysql client would only connect using the old libssl, > > and not when using the new libssl. > > > > When it works with the old libssl, I can confirm that SSL is in use: > > > > mysql> \s > > -------------- > > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1 > > > > Connection id: 2 > > Current database: > > Current user: root at localhost > > SSL: Cipher in use is DHE-RSA-AES256-SHA > > > > The error with the new libssl looks like this: > > > > [root at hostname ~]# mysql > > ERROR 2026 (HY000): SSL connection error > > > > Has anyone else come across this? Is it a bug in SSL? Or a new restriction? > > Do I need to regenerate my certificates using the new openssl? > > > > Cheers > > Tony > > > > You should now be using mysql55 on CentOS-5, not mysql-5.0That may well be the case, but isn't relevant to the point I'm making, which is that something changed in openssl-0.9.8e-36 that has broken something. Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org
Seemingly Similar Threads
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection