[MDEV-13706] MariaDB compiled with Openssl is not compatiable with old mysql yaSSL client Created: 2017-09-01  Updated: 2017-09-06  Resolved: 2017-09-06

Status: Closed
Project: MariaDB Server
Component/s: SSL
Affects Version/s: 10.2.8
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: jianwei zhao Assignee: Sergei Golubchik
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

Linux 2.6.23
openSSL 1.0.1e
MariaDB 10.2.8

Attachments: File ca.pem     File server-cert.pem     File server-key.pem    

 Description   

Hi, pretty guys.

I want to improve our product environment security level, then I compiled MariaDB10.2.8 with openSSL1.0.1e. but when I use old yaSSL client connection server, it failed. But the openSSL compiled client is ok.

[my.cnf]
 
ssl-cert=/home/server-cert.pem
 
ssl-key=/home/server-key.pem


mysql> show global variables like '%ssl%';
 
+---------------------+--------------------------------------------+
 
| Variable_name       | Value                                      |
 
+---------------------+--------------------------------------------+
 
| have_openssl        | YES                                        |
 
| have_ssl            | YES                                        |
 
| ssl_ca              |                                            |
 
| ssl_capath          |                                            |
 
| ssl_cert            | /home/server-cert.pem |
 
| ssl_cipher          |                                            |
 
| ssl_crl             |                                            |
 
| ssl_crlpath         |                                            |
 
| ssl_key             | /home/server-key.pem  |
 
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013            |
 
+---------------------+--------------------------------------------+

when I used MariaDB10.2.8 openSSL compiled client to connect server, it successed:

$ /u01/jianwei.zhao/mariadb/bin/mysql -h127.0.0.1 -usu -P3306 --ssl-ca=/home/ca.pem -psu
 
 
 
MariaDB [(none)]> show status like '%ssl_version%';
 
+---------------+---------+
 
| Variable_name | Value   |
 
+---------------+---------+
 
| Ssl_version   | TLSv1.2 |
 
+---------------+---------+
 
1 row in set (0.00 sec)

But when I used MySQL 5.6 , before client or yaSSL compiled mariaDB client to connect server, it all failed: 

#mysql_5616/bin/mysql -h127.0.0.1 -usu -P3306 --ssl-ca=/home/ca.pem  -psu
 
ERROR 2026 (HY000): SSL connection error: unknown error number

so, does it mean that MariaDB server compiled with openSSL is not compatible with old yaSSL client?

 Comments   
Comment by Sergei Golubchik [ 2017-09-01 ]

It might be MDEV-12190, which is a bug in YaSSL, fixed in MariaDB 10.2.6.

If you use MySQL with YaSSL or MariaDB before 10.2.6, bug MDEV-12190 is not fixed, and you need manually to choose TLSv1.1.

Comment by jianwei zhao [ 2017-09-02 ]

Hi,
thank you for your lovely reply.

as you suggested, I have tried newest mariaDB 10.2.8 & 10.3, confirm that the code have fixed MDEV-12190.
But the problem is still there;

when I use mariaDB compiled openSSL client, connect can success:

/home/mariadb/bin/mysql -h127.0.0.1 -usu -P3306 --ssl-ca=/u01/jianwei.zhao/newcerts/ca.pem -psu
 
MariaDB [(none)]> show status like 'ssl_version'
 
+---------------+---------+
 
| Variable_name | Value   |
 
+---------------+---------+
 
| Ssl_version   | TLSv1.2 |
 
+---------------+---------+

when I used old client compiled yaSSL, still error:

ERROR 2026 (HY000): SSL connection error: unknown error number.

I have found that there is a workaround:
[my.cnf]
ssl-ca=/home/ca.pem
ssl-cert=/home/server-cert.pem
ssl-key=/home/server-key.pem

/home/mysql_5616/bin/mysql -h127.0.0.1 -usu -P3306 --ssl-ca=/home/ca.pem --ssl-cert=/home/client-cert.pem --ssl-key=/home/client-key.pem -psu

If I used all ssl-ca, ss-cert, ssl-key both server and client. then all the old client can connect to MariaDB compiled openSSL.
But we have almost one thousand application used only --ssl-ca parameter in client. so I have no chance to be compatible with old application if I upgrade MariaDB server.

Is it really a bug or some mistake?

Comment by jianwei zhao [ 2017-09-02 ]

I have doubted that if the openSSL required X509 defaultly, even though 'CREATE USER......' didn't require
X509 explicitly. since the problem will disappear if enabled all ssl-ca, ssl-cert, ssl-key.

Comment by jianwei zhao [ 2017-09-02 ]

Hi,
sorry to interrupt you again.

I debuged the MariaDB compiled openSSL 1.0.1e:

[my.cnf]
ssl-cert=/home/server-cert.pem
ssl-key=/home/server-key.pem

grant all on *.* to su@'%' identified by 'su' require SSL;
 
 /home/mysql_5616/bin/mysql -h127.0.0.1 -usu -P3306 --ssl-ca=/home/ca.pem -psu

The MariaDB server error stack as below:

#1  ssl3_get_client_certificate	(s=0x2b80cc024100) at s3_srvr.c:3198
 
#2  ssl3_accept (s=0x2b80cc024100) at s3_srvr.c:589
 
#3  SSL_accept (s=0x2b80cc024100) at ssl_lib.c:940
 
#4  ssl23_get_client_hello (s=0x2b80cc024100) at s23_srvr.c:634
 
#5  ssl23_accept (s=0x2b80cc024100) at s23_srvr.c:210
 
#6  SSL_accept (s=0x2b80cc024100) at ssl_lib.c:940
 
#6  ssl_handshake_loop (vio=0x2b80cc025150, ssl=0x2b80cc024100, func=0x2b8015a204b7 <SSL_accept>,	ssl_errno_holder=0x2b80c447ffc8) at /u01/jianwei.zhao/mysql-server/vio/viossl.c:357
 
#7  ssl_do (ptr=0x8d77ba0, vio=0x2b80cc025150, timeout=10, func=0x2b8015a204b7 <SSL_accept>, ssl_errno_holder=0x2b80c447ffc8) at /u01/jianwei.zhao/mysql-server/vio/viossl.c:441
 
#8  sslaccept (ptr=0x8d77ba0, vio=0x2b80cc025150,	timeout=10, ssl_errno_holder=0x2b80c447ffc8) at /u01/jianwei.zhao/mysql-server/vio/viossl.c:494
 
#9  parse_client_handshake_packet
 
#10 server_mpvio_read_packet (param=0x2b80c4480430, buf=0x2b80c4480118) 
#11 native_password_authenticate (vio=0x2b80c4480430, info=0x2b80c4480448) 


/* If tls asked for a client cert, the client must return a 0 list */
 
│3198                    if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)                                                                                                                                                      │
 
│3199                            {                                                                                                                                                                                                        │
 
│3200                            SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);                                                                                                          │
 
│3201                            al=SSL_AD_UNEXPECTED_MESSAGE;                                                                                                                                                                            │
 
│3202                            goto f_err;

It seems that it required cert and failed, but I didn't require X509 when create user.
so confused.

Comment by jianwei zhao [ 2017-09-02 ]

Sergei, is that you?
Maybe we have met and talked at New York M|17, I am Jianwei.zhao, came from Alibaba. the first version Sequence Engine author.

Thank you for your reply.

This problem I have encountered also existed on MySQL 5.7.18.
if it is not compatiable with old client. I can't upgrade so many instances, it is very dangerous.

Comment by Sergei Golubchik [ 2017-09-04 ]

Yes, that's me, hi

I cannot repeat this issue. I tried MariaDB 10.0 client compiled with yassl and MariaDB 10.2 server compiled with OpenSSL 1.0.1e-fips. But it connected just fine and ssl was used.

Do you have fips enabled in your setup?

Comment by jianwei zhao [ 2017-09-04 ]

Hi, Sergei

I have tried MariaDB again, as you said, 

Server version: 10.3.2-MariaDB-debug-log Source distribution
 
 
 
Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> show global variables like '%ssl%';
 
+---------------------+--------------------------------------------+
 
| Variable_name       | Value                                      |
 
+---------------------+--------------------------------------------+
 
| have_openssl        | YES                                        |
 
| have_ssl            | YES                                        |
 
| ssl_ca              |                                            |
 
| ssl_capath          |                                            |
 
| ssl_cert            | /home/server-cert.pem |
 
| ssl_cipher          |                                            |
 
| ssl_crl             |                                            |
 
| ssl_crlpath         |                                            |
 
| ssl_key             | /home/server-key.pem  |
 
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013            |
 
+---------------------+--------------------------------------------+

the yaSSL compile MariaDB 10.0 client can connect openSSL compiled MariaDB server 10.3.

Since I can't control the customer's client library on AliBABA Cloud RDS MySQL.
so I have tried the mysql community 5.5, 5.6 lower version, But it failed.

I have checked the MySQL official GIT log, found that:

commit e8b17e31edd97b773a2b0d50e0f1d8ffe17ed81e
 
Author: Anirudh Mangipudi <anirudh.mangipudi@oracle.com>
 
Date:   Wed Jan 8 19:40:28 2014 +0530
 
 
 
    Bug#16715064 MYSQL COMMUNITY UTILITIES CANNOT CONNECT TO MYSQL ENTERPRISE
 
    WITH SSL ENABLED
 
    Problem:
 
    It was reported that MySQL community utilities cannot connect to a MySQL
 
    Enterprise 5.6.x server with SSL configured. We can reproduce the issue
 
    when we try to connect an MySQL Enterprise Server with a MySQL Client with
 
    --ssl-ca parameter enabled.
 
    We get an ERROR 2026 (HY000): SSL connection error: unknown error number.
 
 
 
    Solution:
 
    The root cause of the problem was determined to be the difference in handling
 
    of the certificates by OpenSSL(Enterprise) and yaSSL(Community). OpenSSL expects
 
    a blank certificate to be sent when a parameter (ssl-ca, or ssl-cert or ssl-key)
 
    has not been specified.On the other hand yaSSL doesn't send any certificate and
 
    since OpenSSL does not expect this behaviour it returns an Unknown SSL error.
 
    The issue was resolved by yaSSL adding capability to send blank certificate when
 
    any of the parameter is missing.

Maybe it is the reason, community yaSSL client can't connect enterprise openSSL server.

But But,,, It left me so embarrassed, If I want to upgrade TLSv1.2, I have no chance to upgrade my customer's client library, since we have more than ten thousands customers. Tears......

Comment by Sergei Golubchik [ 2017-09-05 ]

I see, thanks.

In 5.5 it was commit 634bb833796c7cd46b88cb81be55d4635a3aea67, released with MySQL-5.5.37.

So any reasonably recent MySQL or MariaDB, 5.5.37 or later should have this bug fixed.

As a workaround, I don't know if you have some kind of central configuration for all clients, but if you can ensure that they always specify all the three parameters — ssl-ca, or ssl-cert or ssl-key — then it should work too, the commit comment says the bug happens when some parameters are not specified.

Comment by jianwei zhao [ 2017-09-05 ]

Unfortunately we only supply CA.pem to client and set ssl-cert and ssl-key configuration on server on AliBABA
Public Cloud.
so if client version is lower than 5.5.37. it must happen.

I have to cover the yaSSL bug unwillingly. so I patch it as below:

 
 
 
[Bugfix] issue#588 Compatible with the yaSSL client when upgrade openSSL
 
 
 
diff --git a/vio/viosslfactories.c b/vio/viosslfactories.c
 
index fca9607..70573b3 100644
 
--- a/vio/viosslfactories.c
 
+++ b/vio/viosslfactories.c
 
@@ -557,7 +557,14 @@ new_VioSSLAcceptorFd(const char *key_file, const char *cert_file,
 
                      const long ssl_ctx_flags)
 
 {
 
   struct st_VioSSLFd *ssl_fd;
 
-  int verify= SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
 
+
 
+  int verify= SSL_VERIFY_CLIENT_ONCE;
 
+
 
+  if (ca_file && key_file && cert_file)
 
+    verify|= SSL_VERIFY_PEER;
 
+  else
 
+    verify|= SSL_VERIFY_NONE;

I really didn't want that, but I have no choice.

Thanks again, caused some trouble to you. hope you have a good time.
If conveniently, hope you come to China, maybe Developer Meeting of MariaDB, 2017-2nd at ShenZhen.

Comment by Sergei Golubchik [ 2017-09-06 ]

Yes, I plan to. Thank you!

Generated at Thu Feb 08 08:07:43 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.