CentOS - Aug 2015 - C5 recent openssl update breaks mysql SSL connection

In article <55D20981.7030902 at centos.org>,
Johnny Hughes <johnny at centos.org> wrote:
> On 08/17/2015 10:57 AM, Tony Mountifield wrote:
> > I recently applied updates to a CentOS 5 box running MySQL. I've
discovered
> > that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL
SSL
> > connections.
> > 
> > If I rename /lib/libssl.so.0.9.8e and replace it with the old version
of
> > that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the
next
> > oldest, but it was handy), then SSL connection to MySQL works again.
> > 
> > I then performed cross-checks using the server with new libssl and the
> > client with old, and then vice versa. What I found was that it
didn't
> > matter whether the server was started with the old libssl or the new
libssl.
> > In both cases, the mysql client would only connect using the old
libssl,
> > and not when using the new libssl.
> > 
> > When it works with the old libssl, I can confirm that SSL is in use:
> > 
> > mysql> \s
> > --------------
> > mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using
readline 5.1
> > 
> > Connection id:          2
> > Current database:
> > Current user:           root at localhost
> > SSL:                    Cipher in use is DHE-RSA-AES256-SHA
> > 
> > The error with the new libssl looks like this:
> > 
> > [root at hostname ~]# mysql
> > ERROR 2026 (HY000): SSL connection error
> > 
> > Has anyone else come across this? Is it a bug in SSL? Or a new
restriction?
> > Do I need to regenerate my certificates using the new openssl?
> > 
> > Cheers
> > Tony
> > 
> 
> You should now be using mysql55 on CentOS-5, not mysql-5.0
That may well be the case, but isn't relevant to the point I'm making,
which is that something changed in openssl-0.9.8e-36 that has broken something.

Cheers
Tony
-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org

On 8/18/2015 1:27 AM, Tony Mountifield wrote:
>> You should now be using mysql55 on CentOS-5, not mysql-5.0
> That may well be the case, but isn't relevant to the point I'm
making,
> which is that something changed in openssl-0.9.8e-36 that has broken
something.
mysql 5.0 and openssl 0.9.8 are both ancient and way past their 
expiration date.



-- 
john r pierce, recycling bits in santa cruz

In article <55D2ED32.6040000 at hogranch.com>,
John R Pierce <pierce at hogranch.com> wrote:
> On 8/18/2015 1:27 AM, Tony Mountifield wrote:
> >> You should now be using mysql55 on CentOS-5, not mysql-5.0
> > That may well be the case, but isn't relevant to the point I'm
making,
> > which is that something changed in openssl-0.9.8e-36 that has broken
something.
> 
> mysql 5.0 and openssl 0.9.8 are both ancient and way past their 
> expiration date.
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated.
Some change in this update has broken something. I would like to understand
what, and so ought the package maintainers. C5 isn't EOL until March 2017.

Cheers
Tony
-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org