[CONC-419] mysql_real_connect to MySQL (oracle) server fails with tlsv1 alert unknown ca - Jira

XML

Word

Printable

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Not a Bug
Affects Version/s: 3.0.10
Fix Version/s: N/A
Component/s: None
Labels:
- Compatibility
Environment:

Hide
MariaDB-client 10.2.24 and applications using MariaDB-shared-10.2.24 are unable to connect to any server running mysql-community-server with secure-transport = ON

Server fedora30 running MySQL Community Server 8.0.16 with require-secure-transport = ON

Certificates are self-signed created using openssl (script attached)

NOTE:
mysql-community-client and application using mysql-community-libs have no issues connecting to either mysql-community-server or mariadb-server

Show
MariaDB-client 10.2.24 and applications using MariaDB-shared-10.2.24 are unable to connect to any server running mysql-community-server with secure-transport = ON Server fedora30 running MySQL Community Server 8.0.16 with require-secure-transport = ON Certificates are self-signed created using openssl (script attached) NOTE: mysql-community-client and application using mysql-community-libs have no issues connecting to either mysql-community-server or mariadb-server

Issue always happens when the server is mysql-community-server 8.x and client is either mariadb-client or any application linked with mariadb-shared libs
mysql-community-client and applicaiton linked with mysql-commnity-libs have no issues connecting to either mysql-community-server or mariadb-server
Happens only when the mysql-community-server has require-secure-transport = ON

MariaDB Client Environment 172.17.0.2

$ cat /etc/centos-release

CentOS Linux release 7.6.1810 (Core)

$ mysql --version

mysql  Ver 15.1 Distrib 10.2.24-MariaDB, for Linux (x86_64) using readline 5.1

$ ls -l /usr/lib64/libmysqlclient*

The client also runs a mariadb server to which I am able to connect without issues

$ mysqld -V

mysqld  Ver 10.2.24-MariaDB for Linux on x86_64 (MariaDB Server)

I have the following in my ini file on my MariaDB client machine

[client]

port      = 3306

socket    = /var/run/mysqld/mysqld.sock

# MySQL Client SSL configuration

ssl-ca=/var/indimail/mysqldb/ssl/ca.pem

ssl-cert=/var/indimail/mysqldb/ssl/client-cert.pem

ssl-key=/var/indimail/mysqldb/ssl/client-key.pem

# This option is disabled by default

#ssl-verify-server-cert

[mysqld]

# * Basic Settings

# * IMPORTANT

#   If you make changes to these settings and your system uses apparmor, you may

#   also need to also adjust /etc/apparmor.d/usr.sbin.mysqld.

#sql_mode="NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,STRICT_ALL_TABLES"

sql_mode="NO_ENGINE_SUBSTITUTION,STRICT_ALL_TABLES"

ssl

explicit-defaults-for-timestamp=TRUE

user     = mysql

socket   = /var/run/mysqld/mysqld.sock

port     = 3306

basedir  = /usr

datadir  = /var/indimail/mysqldb/data

character-set-client-handshake = FALSE

character-set-server = utf8mb4

collation-server = utf8mb4_unicode_ci

# MySQL Server SSL configuration

# Securing the Database with ssl option and certificates

# There is no control over the protocol level used.

# mariadb will use TLSv1.0 or better.

ssl

ssl-ca=/var/indimail/mysqldb/ssl/ca.pem

ssl-cert=/var/indimail/mysqldb/ssl/server-cert.pem

ssl-key=/var/indimail/mysqldb/ssl/server-key.pem

Even the mariadb command line client fails with the same error

$ mysql -u indimail -p -h 172.17.0.1

Enter password:

ERROR 2026 (HY000): SSL connection error: tlsv1 alert unknown ca

All my applications which dynamically load /usr/lib64/libmariadb.so.3 give the same error.
e.g.

$ vuserinfo postmaster@example.com

open_central_db: mysql_real_connect: 172.17.0.1: SSL connection error: tlsv1 alert unknown ca

However I am able to connect to other MariaDB servers. e.g.

mysql -u indimail -p -h 172.17.0.2

Enter password:

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 11

Server version: 10.2.24-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

MySQL Server Environment 172.17.0.1

-----------------------------------

$ cat /etc/fedora-release

Fedora release 30 (Thirty)

$ mysqld --version

/usr/sbin/mysqld  Ver 8.0.16 for Linux on x86_64 (MySQL Community Server - GPL)

This is what is observed on the mysql-community-server logs

2019-06-12T16:29:50.481981Z 50 [Note] [MY-010914] [Server] Bad handshake

2019-06-12T16:42:16.555878Z 53 [Note] [MY-010914] [Server] Bad handshake

2019-06-12T16:43:21.439351Z 55 [Note] [MY-010914] [Server] Bad handshake

2019-06-12T16:47:42.763384Z 56 [Note] [MY-010914] [Server] Bad handshake

2019-06-12T16:47:58.390220Z 57 [Note] [MY-010914] [Server] Bad handshake

2019-06-12T16:54:15.045510Z 59 [Note] [MY-010914] [Server] Bad handshake

2019-06-12T16:57:25.219389Z 61 [Note] [MY-010914] [Server] Bad handshake

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.