[MDEV-30270] ssl_cipher on Non-SSL system results in confusing SSL error Created: 2022-12-19  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.5.18
Fix Version/s: 10.4, 10.5, 10.6, 10.11

Type: Bug Priority: Major
Reporter: Alvar Penning Assignee: Vladislav Vaintroub
Resolution: Unresolved Votes: 0
Labels: None
Environment:

Debian 11 with mariadb-server-10.5:amd64 10.5.18-0+deb11u1

Issue Links:
Duplicate
is duplicated by MDEV-30092 SSL Error after Update Closed
Problem/Incident
is caused by MDEV-29811 server advertises ssl even if it's un... Closed

 Description   

After updating MariaDB on Debian 11 (bullseye) from 10.5.15-0+deb11u1 to 10.5.18-0+deb11u1, mariadbd fails to start.

systemd[1]: Starting MariaDB 10.5.18 database server...
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] Using unique option prefix 'key_buffer' is error-prone and can break in>
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] /usr/sbin/mariadbd (mysqld 10.5.18-MariaDB-0+deb11u1) starting as proce>
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Warning] Could not increase number of max_open_files to more than 32768 (requ>
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Warning] The parameter innodb_buffer_pool_instances is deprecated and has no >
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Uses event mutexes
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Number of pools: 1
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Using Linux native AIO
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Initializing buffer pool, total size = 536870912, chunk size = >
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Completed initialization of buffer pool
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: 128 rollback segments are active.
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Creating shared tablespace for temporary tables
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the f>
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: 10.5.18 started; log sequence number 94260354360; transaction i>
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [Note] Plugin 'FEEDBACK' is disabled.
 
mariadbd[878985]: SSL error: Private key does not match the certificate public key
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [ERROR] Failed to setup SSL
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [ERROR] SSL error: Private key does not match the certificate public key
 
mariadbd[878985]: 2022-12-19  9:50:18 0 [ERROR] Aborting
 
systemd[1]: mariadb.service: Main process exited, code=exited, status=1/FAILURE
 
systemd[1]: mariadb.service: Failed with result 'exit-code'.
 
systemd[1]: Failed to start MariaDB 10.5.18 database server.

The final error "SSL error: Private key does not match the certificate public key" came as a surprise, as there was no SSL configured for MariaDB.

After some investigation we were able to pin down the error to one of our custom configurations, setting a `ssl_cipher` value. However, no other SSL options were configured.
As documented, `ssl_cipher` implies `ssl`[0], but nevertheless the error message is very misleading.

Furthermore, I am not sure if this is a Debian-specific or generic error.

Thanks for all your work!

[0] https://mariadb.com/kb/en/ssltls-system-variables/#ssl_cipher
Generated at Thu Feb 08 10:14:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.