[MDEV-22215] openssl s_client error 1408F10B Created: 2020-04-10  Updated: 2020-04-12  Resolved: 2020-04-12

Status: Closed
Project: MariaDB Server
Component/s: SSL
Affects Version/s: None
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Oy5p aegh Assignee: Sergei Golubchik
Resolution: Not a Bug Votes: 0
Labels: None
Environment:

Debian 10 (Buster)


 Description   

Hello!

I get this error when trying to inspect the MariaDB 10.4. certificate with:

openssl s_client -connect srv.addr.tld:3306
 
 
 
error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:

Though the server certificate seems fine:

openssl verify -CAfile ca.pem server-cert.pem
 
server-cert.pem: OK

Is this expected behavior?

Update:
It works if the OpenSSL version is >= 1.1.1 and the -starttls option is set:

openssl s_client -starttls mysql -connect srv.addr.tld:3306



 Comments   
Comment by Sergei Golubchik [ 2020-04-12 ]

Yes, it is expected. MariaDB/MySQL client-server protocol does not start from a TLS handshake.

To go into details, first the server sends a "welcome" packet, plain-text, no SSL at all. Then the client replies with "please switch to SSL", then the server starts TLS handshake.

That is, you need a client that understand MariaDB/MySQL client-server protocol to be able to get to the TLS handshake and to receive the certificate from the server.

New OpenSSL version works because it knows MariaDB/MySQL protocol (it's enough only to support the first "welcome" packet, not everything), that's why you specify -starttls mysql

Generated at Thu Feb 08 09:13:04 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.