Tony Mountifield
2015-Aug-18 08:55 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
In article <55D2ED32.6040000 at hogranch.com>, John R Pierce <pierce at hogranch.com> wrote:> On 8/18/2015 1:27 AM, Tony Mountifield wrote: > >> You should now be using mysql55 on CentOS-5, not mysql-5.0 > > That may well be the case, but isn't relevant to the point I'm making, > > which is that something changed in openssl-0.9.8e-36 that has broken something. > > mysql 5.0 and openssl 0.9.8 are both ancient and way past their > expiration date.Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017. Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org
Leon Fauster
2015-Aug-18 09:20 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
Am 18.08.2015 um 10:55 schrieb tony at softins.co.uk (Tony Mountifield):> In article <55D2ED32.6040000 at hogranch.com>, > John R Pierce <pierce at hogranch.com> wrote: >> On 8/18/2015 1:27 AM, Tony Mountifield wrote: >>> That may well be the case, but isn't relevant to the point I'm making, >>> which is that something changed in openssl-0.9.8e-36 that has broken something. >> >> mysql 5.0 and openssl 0.9.8 are both ancient and way past their >> expiration date. > > Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. > Some change in this update has broken something. I would like to understand > what, and so ought the package maintainers. C5 isn't EOL until March 2017.important in this case is, that a different combination of software packages, that are not in the scenario of upstreams philosophy, are not supported and can lead to unexpected behavior. As always recommended by any advisory: "Before applying this update, make sure all previously released errata relevant to your system have been applied." Why EL5 is on MySQL 5.5 and EL6 on MySQL 5.1 is a different question (only upstream can answer). I recommended to update your (client and server) systems to the current supported state (5.11) with all relevant updates applied. This includes the mentioned migration to mysql55-mysql. Our EL5 setup/service passes this migration seamless. And then check your problem in this new environment ... -- LF
lhecking at users.sourceforge.net
2015-Aug-18 09:27 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
> Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. > Some change in this update has broken something. I would like to understand > what, and so ought the package maintainers. C5 isn't EOL until March 2017.rpm -q --changelog openssl-0.9.8e. You weren't clear which version you upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 (from March 2014, nevertheless), which works. I would hazard a guess that this is the change causing your problem. * Fri Jun 26 2015 Tomas Mraz <tmraz at redhat.com> 0.9.8e-36 - also change the default DH parameters in s_server to 1024 bits Here's some more info, https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ RH must have backported this fix to 0.9.8e. There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you're most likely on your own. I'm quite ignorant of mysql, but it looks like you may be able to get this to work again by changing the cipher in mysql and regenerating your cert. https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4
Leon Fauster
2015-Aug-18 09:32 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
Am 18.08.2015 um 11:27 schrieb lhecking at users.sourceforge.net:> >> Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. >> Some change in this update has broken something. I would like to understand >> what, and so ought the package maintainers. C5 isn't EOL until March 2017. > > rpm -q --changelog openssl-0.9.8e. You weren't clear which version you > upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 > (from March 2014, nevertheless), which works. > > I would hazard a guess that this is the change causing your problem. > > * Fri Jun 26 2015 Tomas Mraz <tmraz at redhat.com> 0.9.8e-36 > - also change the default DH parameters in s_server to 1024 bits > > Here's some more info, > > https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ > > RH must have backported this fix to 0.9.8e. > > There seem to be many reports out there that the openssl update broke mysql, > but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, > so you're most likely on your own. I'm quite ignorant of mysql, but it looks > like you may be able to get this to work again by changing the cipher in mysql > and regenerating your cert. > > https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4 >http://lists.centos.org/pipermail/centos/2015-July/153753.html -- LF
Tony Mountifield
2015-Aug-18 10:43 UTC
[CentOS] C5 recent openssl update breaks mysql SSL connection
In article <20150818092704.GA13601 at users.sourceforge.net>, <lhecking at users.sourceforge.net> wrote:> > > Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. > > Some change in this update has broken something. I would like to understand > > what, and so ought the package maintainers. C5 isn't EOL until March 2017. > > rpm -q --changelog openssl-0.9.8e. You weren't clear which version you > upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 > (from March 2014, nevertheless), which works. > > I would hazard a guess that this is the change causing your problem. > > * Fri Jun 26 2015 Tomas Mraz <tmraz at redhat.com> 0.9.8e-36 > - also change the default DH parameters in s_server to 1024 bits > > Here's some more info, > > https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ > > RH must have backported this fix to 0.9.8e. > > There seem to be many reports out there that the openssl update broke mysql, > but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, > so you're most likely on your own. I'm quite ignorant of mysql, but it looks > like you may be able to get this to work again by changing the cipher in mysql > and regenerating your cert. > > https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4Interesting... many thanks for the pointers! Something for me to experiment with... Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org
Apparently Analagous Threads
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection
- C5 recent openssl update breaks mysql SSL connection