[openssl.org #3911] 1.0.2c: some kind of regression - fails to connect to server where 1.0.2a works fine

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #3911] 1.0.2c: some kind of regression - fails to connect to server where 1.0.2a works fine

Rich Salz via RT

Hello.

I've just upgraded from 1.0.2a to 1.0.2c and now I no longer can connect from
mysql client to my mysql server. Downgrading to 1.0.2a and the problem is gone.

1.0.2c:

$ mysql -u user -p -h host
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

1.0.2a:

$ mysql -u user -p -h host
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 233
Server version: 5.6.20-68.0-log PLD/Linux Distribution MySQL RPM

Copyright (c) 2009-2015 Percona LLC and/or its affiliates
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

13:00:05 mysql{1}> \s
--------------
mysql  Ver 14.14 Distrib 5.6.24-72.2, for Linux (x86_64) using  6.3

Connection id:          233
Current database:
Current user:           [hidden email]
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
[...]


Server side is using 1.0.2a.

--
Arkadiusz Miƛkiewicz, arekm / ( maven.pl | pld-linux.org )

_______________________________________________
openssl-bugs-mod mailing list
[hidden email]
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3911] 1.0.2c: some kind of regression - fails to connect to server where 1.0.2a works fine

Tomas Mraz-2
On Po, 2015-06-15 at 14:22 +0000, Arkadiusz Miskiewicz via RT wrote:
> Hello.
>
> I've just upgraded from 1.0.2a to 1.0.2c and now I no longer can connect from
> mysql client to my mysql server. Downgrading to 1.0.2a and the problem is gone.
>

That's because mysql server hardcodes 512 bits DH parameters. That's
insecure and connect is prevented by the LOGJAM fix. You can configure
the server to not use DH ciphersuites as a workaround, or patch the
mysql server to use at least 1024 bits DH parameters.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3911] 1.0.2c: some kind of regression - fails to connect to server where 1.0.2a works fine

Rich Salz via RT
On Po, 2015-06-15 at 14:22 +0000, Arkadiusz Miskiewicz via RT wrote:
> Hello.
>
> I've just upgraded from 1.0.2a to 1.0.2c and now I no longer can connect from
> mysql client to my mysql server. Downgrading to 1.0.2a and the problem is gone.
>

That's because mysql server hardcodes 512 bits DH parameters. That's
insecure and connect is prevented by the LOGJAM fix. You can configure
the server to not use DH ciphersuites as a workaround, or patch the
mysql server to use at least 1024 bits DH parameters.

--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)



_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3911] 1.0.2c: some kind of regression - fails to connect to server where 1.0.2a works fine

Todd Farmer
In reply to this post by Rich Salz via RT
Hello Arkadiusz,

On 6/15/2015 8:22 AM, Arkadiusz Miskiewicz via RT wrote:
> I've just upgraded from 1.0.2a to 1.0.2c and now I no longer can connect from
> mysql client to my mysql server. Downgrading to 1.0.2a and the problem is gone.
>
> 1.0.2c:
>
> $ mysql -u user -p -h host
> Enter password:
> ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

You seem to be running into the following:

http://bugs.mysql.com/bug.php?id=77275

It's fixed in MySQL Server 5.7 (RC), and will be fixed in 5.6 (GA)
shortly.  You appear to be using Percona builds, so they may apply the
patch from 5.7 on a different schedule - best to inquire directly with them.

Best regards,

--
Todd Farmer
Director, Technical Product Management, MySQL
MySQL @ Oracle

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #3911] 1.0.2c: some kind of regression - fails to connect to server where 1.0.2a works fine

Rich Salz via RT
Hello Arkadiusz,

On 6/15/2015 8:22 AM, Arkadiusz Miskiewicz via RT wrote:
> I've just upgraded from 1.0.2a to 1.0.2c and now I no longer can connect from
> mysql client to my mysql server. Downgrading to 1.0.2a and the problem is gone.
>
> 1.0.2c:
>
> $ mysql -u user -p -h host
> Enter password:
> ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

You seem to be running into the following:

http://bugs.mysql.com/bug.php?id=77275

It's fixed in MySQL Server 5.7 (RC), and will be fixed in 5.6 (GA)
shortly.  You appear to be using Percona builds, so they may apply the
patch from 5.7 on a different schedule - best to inquire directly with them.

Best regards,

--
Todd Farmer
Director, Technical Product Management, MySQL
MySQL @ Oracle


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev