CentOS - Aug 2015 - C5 recent openssl update breaks mysql SSL connection

On 08/17/2015 11:19 AM, Johnny Hughes wrote:
> On 08/17/2015 10:57 AM, Tony Mountifield wrote:
>> I recently applied updates to a CentOS 5 box running MySQL. I've
discovered
>> that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
>> connections.
>>
>> If I rename /lib/libssl.so.0.9.8e and replace it with the old version
of
>> that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next
>> oldest, but it was handy), then SSL connection to MySQL works again.
>>
>> I then performed cross-checks using the server with new libssl and the
>> client with old, and then vice versa. What I found was that it
didn't
>> matter whether the server was started with the old libssl or the new
libssl.
>> In both cases, the mysql client would only connect using the old
libssl,
>> and not when using the new libssl.
>>
>> When it works with the old libssl, I can confirm that SSL is in use:
>>
>> mysql> \s
>> --------------
>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using
readline 5.1
>>
>> Connection id:          2
>> Current database:
>> Current user:           root at localhost
>> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
>>
>> The error with the new libssl looks like this:
>>
>> [root at hostname ~]# mysql
>> ERROR 2026 (HY000): SSL connection error
>>
>> Has anyone else come across this? Is it a bug in SSL? Or a new
restriction?
>> Do I need to regenerate my certificates using the new openssl?
>>
>> Cheers
>> Tony
>>
> 
> You should now be using mysql55 on CentOS-5, not mysql-5.0
In case you did not understand my post, here is how one is supposed to
move from mysql-5.0 to mysql55 and why:

https://rhn.redhat.com/errata/RHEA-2013-1329.html

https://rhn.redhat.com/errata/RHEA-2013-1330.html

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20150817/7a1ef6f1/attachment-0001.sig>

In article <55D2174F.70509 at centos.org>,
Johnny Hughes <johnny at centos.org> wrote:
> On 08/17/2015 11:19 AM, Johnny Hughes wrote:
> > On 08/17/2015 10:57 AM, Tony Mountifield wrote:
> >> I recently applied updates to a CentOS 5 box running MySQL.
I've discovered
> >> that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks
MySQL SSL
> >> connections.
> >>
> >> If I rename /lib/libssl.so.0.9.8e and replace it with the old
version of
> >> that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the
next
> >> oldest, but it was handy), then SSL connection to MySQL works
again.
> >>
> >> I then performed cross-checks using the server with new libssl and
the
> >> client with old, and then vice versa. What I found was that it
didn't
> >> matter whether the server was started with the old libssl or the
new libssl.
> >> In both cases, the mysql client would only connect using the old
libssl,
> >> and not when using the new libssl.
> >>
> >> When it works with the old libssl, I can confirm that SSL is in
use:
> >>
> >> mysql> \s
> >> --------------
> >> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using
readline 5.1
> >>
> >> Connection id:          2
> >> Current database:
> >> Current user:           root at localhost
> >> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
> >>
> >> The error with the new libssl looks like this:
> >>
> >> [root at hostname ~]# mysql
> >> ERROR 2026 (HY000): SSL connection error
> >>
> >> Has anyone else come across this? Is it a bug in SSL? Or a new
restriction?
> >> Do I need to regenerate my certificates using the new openssl?
> >>
> >> Cheers
> >> Tony
> >>
> > 
> > You should now be using mysql55 on CentOS-5, not mysql-5.0
> 
> In case you did not understand my post, here is how one is supposed to
> move from mysql-5.0 to mysql55 and why:
> 
> https://rhn.redhat.com/errata/RHEA-2013-1329.html
> 
> https://rhn.redhat.com/errata/RHEA-2013-1330.html
Thanks. I eventually found the more specific link at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-Migrating_from_MySQL_5.0_to_MySQL_5.5.html

However, the only "why" I could find was "Red Hat will not issue
any more
security advisories for the MySQL 5.0 packages (mysql-5.0.* and related
packages). Security advisories will be provided only for MySQL 5.5."
Nothing to indicate that anything in 5.0 is inherently broken. Are there
any more specific reasons? It appears to be working fine.

And is the same true for C6, which comes with mysql 5.1, that one should
use mysql55 from SCL instead? Why, or why not?

Cheers
Tony

-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org

On 08/18/2015 03:47 AM, Tony Mountifield wrote:
> In article <55D2174F.70509 at centos.org>,
> Johnny Hughes <johnny at centos.org> wrote:
>> On 08/17/2015 11:19 AM, Johnny Hughes wrote:
>>> On 08/17/2015 10:57 AM, Tony Mountifield wrote:
>>>> I recently applied updates to a CentOS 5 box running MySQL.
I've discovered
>>>> that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks
MySQL SSL
>>>> connections.
>>>>
>>>> If I rename /lib/libssl.so.0.9.8e and replace it with the old
version of
>>>> that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is
the next
>>>> oldest, but it was handy), then SSL connection to MySQL works
again.
>>>>
>>>> I then performed cross-checks using the server with new libssl
and the
>>>> client with old, and then vice versa. What I found was that it
didn't
>>>> matter whether the server was started with the old libssl or
the new libssl.
>>>> In both cases, the mysql client would only connect using the
old libssl,
>>>> and not when using the new libssl.
>>>>
>>>> When it works with the old libssl, I can confirm that SSL is in
use:
>>>>
>>>> mysql> \s
>>>> --------------
>>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386)
using readline 5.1
>>>>
>>>> Connection id:          2
>>>> Current database:
>>>> Current user:           root at localhost
>>>> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
>>>>
>>>> The error with the new libssl looks like this:
>>>>
>>>> [root at hostname ~]# mysql
>>>> ERROR 2026 (HY000): SSL connection error
>>>>
>>>> Has anyone else come across this? Is it a bug in SSL? Or a new
restriction?
>>>> Do I need to regenerate my certificates using the new openssl?
>>>>
>>>> Cheers
>>>> Tony
>>>>
>>>
>>> You should now be using mysql55 on CentOS-5, not mysql-5.0
>>
>> In case you did not understand my post, here is how one is supposed to
>> move from mysql-5.0 to mysql55 and why:
>>
>> https://rhn.redhat.com/errata/RHEA-2013-1329.html
>>
>> https://rhn.redhat.com/errata/RHEA-2013-1330.html
> 
> Thanks. I eventually found the more specific link at
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-Migrating_from_MySQL_5.0_to_MySQL_5.5.html
> 
> However, the only "why" I could find was "Red Hat will not
issue any more
> security advisories for the MySQL 5.0 packages (mysql-5.0.* and related
> packages). Security advisories will be provided only for MySQL 5.5."
> Nothing to indicate that anything in 5.0 is inherently broken. Are there
> any more specific reasons? It appears to be working fine.
> 
Working fine is NOT secure.  The fact that they have not issued any
security update for MySQL 5.0 since mid 2013 .. and since then there
have been 4 security issues fixed in EL5 (1 Important, 3 Moderate) in
the mysql55 updates.
> And is the same true for C6, which comes with mysql 5.1, that one should
> use mysql55 from SCL instead? Why, or why not?
> 
No, I would use the version of mysql that is supported in the distro.
For EL5, the supported version is the mysql55.  For EL6 it is the
mysql-5.1 version.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20150818/df5ec46b/attachment-0001.sig>