Details
-
Task
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
Description
I generated certificates according to the instructions in the KnowledgeBase:
https://mariadb.com/kb/en/certificate-creation-with-openssl/
I created a ca-cert, a server and a client certificate
and set up the server using:
[mysqld]
|
bind-address=0.0.0.0
|
ssl
|
ssl-ca=/etc/mysql/ssl/ca-cert.pem
|
ssl-cert=/etc/mysql/ssl/server-cert.pem
|
ssl-key=/etc/mysql/ssl/server-key.pem
|
In the following snippets 192.168.23.15 is my linux server, 192.168.23.66 a Windows10 machine. The database user name I use is "secure".
I can connect from linux clients using the client certificate just fine, e.g.:
mysql -h 192.168.23.15 -p -u secure --ssl-ca=ssl/ca-cert.pem --ssl-key=ssl/client-key.pem --ssl-cert=ssl/client-cert.pem
|
Enter password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
...
|
and I can verify that encryption is indeed used:
Trying to connect from the Windows machine I can't connect though:
mysql -u secure -p -h 192.168.23.15 --ssl-ca=\ssl\ca-cert.pem --ssl-key=\ssl\client-key.pem --ssl-cert=\ssl\client-cert.pem
|
Enter password: ******
|
ERROR 2026 (HY000): SSL connection error: no cipher match. Error 0x80090331(SEC_E_ALGORITHM_MISMATCH)
|
I CAN connect from windows to linux using encryption when just giving the --ssl option without explicit client certificate:
~ > mysql -h 192.168.23.66 -p -u secure --ssl
|
Enter password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 7
|
Server version: 10.5.10-MariaDB mariadb.org binary distribution
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
(none) 10.5.10-MariaDB
|
> show status like 'ssl_version';
|
+---------------+---------+
|
| Variable_name | Value |
|
+---------------+---------+
|
| Ssl_version | TLSv1.2 |
|
+---------------+---------+
|
1 row in set (0.006 sec)
|
|
|
(none) 10.5.10-MariaDB
|
> show status like 'ssl_cipher';
|
+---------------+--------------------+
|
| Variable_name | Value |
|
+---------------+--------------------+
|
| Ssl_cipher | DHE-RSA-AES256-SHA |
|
+---------------+--------------------+
|
1 row in set (0.016 sec)
|
When setting up MariaDB server on the windows size with the same server certificate as on Linux, and trying to connect locally using the client certificate I'm getting:
C:\Program Files\MariaDB 10.5\data>mysql -h 192.168.23.66 -u secure -p --ssl --ssl-ca=\ssl\ca-cert.pem --ssl-key=\ssl\client-key.pem --ssl-cert=\ssl\client-cert.pem
|
Enter password: ******
|
ERROR 2026 (HY000): SSL connection error: An unknown error occurred while processing the certificate. Error 0x80090327(SEC_E_CERT_UNKNOWN)
|
And when trying to connect to that windows server from linux (only server IP changed from .15 to .66 after verifying that things work locally):
~ > mysql -h 192.168.23.66 -p -u secure --ssl-ca=/etc/mysql/ssl/ca-cert.pem --ssl-key=/etc/mysql/ssl/client-key.pem --ssl-cert=/etc/mysql/ssl/client-cert.pem --Enter password:
|
ERROR 2026 (HY000): SSL connection error: sslv3 alert bad certificate
|
Again, when just using the --ssl option without explicit client certificate the connection is established using TLS v1.2 just fine.
Also when using MySQL 5.7 on the windows side, which uses OpenSSL instead of WolfSSL, things work just fine both ways with explicit client certificate.
So there seems to be some problem with WolfSSL and certificate verification, at least when the certificates were created using OpenSSL as described in our knowledge base.
Attachments
Issue Links
- relates to
-
CONC-538 Can't connect via SSL
-
- Open
-
-
-
- Closed
-
- split to
-
-
- Closed
-
- mentioned in
-
Page Loading...