Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-419

mysql_real_connect to MySQL (oracle) server fails with tlsv1 alert unknown ca

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not a Bug
    • Affects Version/s: 3.0.10
    • Fix Version/s: N/A
    • Labels:
    • Environment:

      Description

      • Issue always happens when the server is mysql-community-server 8.x and client is either mariadb-client or any application linked with mariadb-shared libs
      • mysql-community-client and applicaiton linked with mysql-commnity-libs have no issues connecting to either mysql-community-server or mariadb-server
      • Happens only when the mysql-community-server has require-secure-transport = ON

      MariaDB Client Environment 172.17.0.2

      $ cat /etc/centos-release
      CentOS Linux release 7.6.1810 (Core)
      $ mysql --version
      mysql  Ver 15.1 Distrib 10.2.24-MariaDB, for Linux (x86_64) using readline 5.1
      $ ls -l /usr/lib64/libmysqlclient*
      

      The client also runs a mariadb server to which I am able to connect without issues

      $ mysqld -V
      mysqld  Ver 10.2.24-MariaDB for Linux on x86_64 (MariaDB Server)
      

      I have the following in my ini file on my MariaDB client machine

      [client]
      port      = 3306
      socket    = /var/run/mysqld/mysqld.sock
       
      # MySQL Client SSL configuration
      ssl-ca=/var/indimail/mysqldb/ssl/ca.pem
      ssl-cert=/var/indimail/mysqldb/ssl/client-cert.pem
      ssl-key=/var/indimail/mysqldb/ssl/client-key.pem
      # This option is disabled by default
      #ssl-verify-server-cert
       
      [mysqld]
      #
      # * Basic Settings
      #
       
      #
      # * IMPORTANT
      #   If you make changes to these settings and your system uses apparmor, you may
      #   also need to also adjust /etc/apparmor.d/usr.sbin.mysqld.
      #
       
      #sql_mode="NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,STRICT_ALL_TABLES"
      sql_mode="NO_ENGINE_SUBSTITUTION,STRICT_ALL_TABLES"
      ssl
      explicit-defaults-for-timestamp=TRUE
      user     = mysql
      socket   = /var/run/mysqld/mysqld.sock
      port     = 3306
      basedir  = /usr
      datadir  = /var/indimail/mysqldb/data
      character-set-client-handshake = FALSE
      character-set-server = utf8mb4
      collation-server = utf8mb4_unicode_ci
       
      # MySQL Server SSL configuration
      # Securing the Database with ssl option and certificates
      # There is no control over the protocol level used.
      # mariadb will use TLSv1.0 or better.
      ssl
      ssl-ca=/var/indimail/mysqldb/ssl/ca.pem
      ssl-cert=/var/indimail/mysqldb/ssl/server-cert.pem
      ssl-key=/var/indimail/mysqldb/ssl/server-key.pem
      

      Even the mariadb command line client fails with the same error

      $ mysql -u indimail -p -h 172.17.0.1
      Enter password:
      ERROR 2026 (HY000): SSL connection error: tlsv1 alert unknown ca
      

      All my applications which dynamically load /usr/lib64/libmariadb.so.3 give the same error.
      e.g.

      $ vuserinfo postmaster@example.com
      open_central_db: mysql_real_connect: 172.17.0.1: SSL connection error: tlsv1 alert unknown ca
      

      However I am able to connect to other MariaDB servers. e.g.

      mysql -u indimail -p -h 172.17.0.2
      Enter password: 
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 11
      Server version: 10.2.24-MariaDB-log MariaDB Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> 
       
      MySQL Server Environment 172.17.0.1
      -----------------------------------
      $ cat /etc/fedora-release
      Fedora release 30 (Thirty)
       
      $ mysqld --version
      /usr/sbin/mysqld  Ver 8.0.16 for Linux on x86_64 (MySQL Community Server - GPL)
       
      This is what is observed on the mysql-community-server logs
      2019-06-12T16:29:50.481981Z 50 [Note] [MY-010914] [Server] Bad handshake
      2019-06-12T16:42:16.555878Z 53 [Note] [MY-010914] [Server] Bad handshake
      2019-06-12T16:43:21.439351Z 55 [Note] [MY-010914] [Server] Bad handshake
      2019-06-12T16:47:42.763384Z 56 [Note] [MY-010914] [Server] Bad handshake
      2019-06-12T16:47:58.390220Z 57 [Note] [MY-010914] [Server] Bad handshake
      2019-06-12T16:54:15.045510Z 59 [Note] [MY-010914] [Server] Bad handshake
      2019-06-12T16:57:25.219389Z 61 [Note] [MY-010914] [Server] Bad handshake
      

        Attachments

        1. alert_21.png
          alert_21.png
          197 kB
        2. indimail.cnf
          2 kB
        3. mariadb_ssl_rsa_setup
          4 kB
        4. mariadb_ssl_rsa_setup
          3 kB
        5. mysql-communit-server_details.txt
          3 kB
        6. tcpdump_client.out
          6 kB
        7. tcpdump_server.out
          6 kB
        8. tcpdump.client_without_key.txt
          12 kB
        9. tcpdump.client.txt
          8 kB
        10. tcpdump.server_without_key.txt
          12 kB
        11. tcpdump.server.txt
          8 kB

          Activity

            People

            Assignee:
            georg Georg Richter
            Reporter:
            cprogrammer Manvendra Bhangui
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: