I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections.
If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again.
I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn't matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl.
When it works with the old libssl, I can confirm that SSL is in use:
mysql> \s -------------- mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1
Connection id: 2 Current database: Current user: root@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA
The error with the new libssl looks like this:
[root@hostname ~]# mysql ERROR 2026 (HY000): SSL connection error
Has anyone else come across this? Is it a bug in SSL? Or a new restriction? Do I need to regenerate my certificates using the new openssl?
Cheers Tony
On 08/17/2015 10:57 AM, Tony Mountifield wrote:
I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections.
If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again.
I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn't matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl.
When it works with the old libssl, I can confirm that SSL is in use:
mysql> \s
mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1
Connection id: 2 Current database: Current user: root@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA
The error with the new libssl looks like this:
[root@hostname ~]# mysql ERROR 2026 (HY000): SSL connection error
Has anyone else come across this? Is it a bug in SSL? Or a new restriction? Do I need to regenerate my certificates using the new openssl?
Cheers Tony
You should now be using mysql55 on CentOS-5, not mysql-5.0
On 08/17/2015 11:19 AM, Johnny Hughes wrote:
On 08/17/2015 10:57 AM, Tony Mountifield wrote:
I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections.
If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again.
I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn't matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl.
When it works with the old libssl, I can confirm that SSL is in use:
mysql> \s
mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1
Connection id: 2 Current database: Current user: root@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA
The error with the new libssl looks like this:
[root@hostname ~]# mysql ERROR 2026 (HY000): SSL connection error
Has anyone else come across this? Is it a bug in SSL? Or a new restriction? Do I need to regenerate my certificates using the new openssl?
Cheers Tony
You should now be using mysql55 on CentOS-5, not mysql-5.0
In case you did not understand my post, here is how one is supposed to move from mysql-5.0 to mysql55 and why:
https://rhn.redhat.com/errata/RHEA-2013-1329.html
https://rhn.redhat.com/errata/RHEA-2013-1330.html
Thanks, Johnny Hughes
In article 55D2174F.70509@centos.org, Johnny Hughes johnny@centos.org wrote:
On 08/17/2015 11:19 AM, Johnny Hughes wrote:
On 08/17/2015 10:57 AM, Tony Mountifield wrote:
I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections.
If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again.
I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn't matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl.
When it works with the old libssl, I can confirm that SSL is in use:
mysql> \s
mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1
Connection id: 2 Current database: Current user: root@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA
The error with the new libssl looks like this:
[root@hostname ~]# mysql ERROR 2026 (HY000): SSL connection error
Has anyone else come across this? Is it a bug in SSL? Or a new restriction? Do I need to regenerate my certificates using the new openssl?
Cheers Tony
You should now be using mysql55 on CentOS-5, not mysql-5.0
In case you did not understand my post, here is how one is supposed to move from mysql-5.0 to mysql55 and why:
Thanks. I eventually found the more specific link at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/htm...
However, the only "why" I could find was "Red Hat will not issue any more security advisories for the MySQL 5.0 packages (mysql-5.0.* and related packages). Security advisories will be provided only for MySQL 5.5." Nothing to indicate that anything in 5.0 is inherently broken. Are there any more specific reasons? It appears to be working fine.
And is the same true for C6, which comes with mysql 5.1, that one should use mysql55 from SCL instead? Why, or why not?
Cheers Tony
On 08/18/2015 03:47 AM, Tony Mountifield wrote:
In article 55D2174F.70509@centos.org, Johnny Hughes johnny@centos.org wrote:
On 08/17/2015 11:19 AM, Johnny Hughes wrote:
On 08/17/2015 10:57 AM, Tony Mountifield wrote:
I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections.
If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again.
I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn't matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl.
When it works with the old libssl, I can confirm that SSL is in use:
mysql> \s
mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1
Connection id: 2 Current database: Current user: root@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA
The error with the new libssl looks like this:
[root@hostname ~]# mysql ERROR 2026 (HY000): SSL connection error
Has anyone else come across this? Is it a bug in SSL? Or a new restriction? Do I need to regenerate my certificates using the new openssl?
Cheers Tony
You should now be using mysql55 on CentOS-5, not mysql-5.0
In case you did not understand my post, here is how one is supposed to move from mysql-5.0 to mysql55 and why:
Thanks. I eventually found the more specific link at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/htm...
However, the only "why" I could find was "Red Hat will not issue any more security advisories for the MySQL 5.0 packages (mysql-5.0.* and related packages). Security advisories will be provided only for MySQL 5.5." Nothing to indicate that anything in 5.0 is inherently broken. Are there any more specific reasons? It appears to be working fine.
Working fine is NOT secure. The fact that they have not issued any security update for MySQL 5.0 since mid 2013 .. and since then there have been 4 security issues fixed in EL5 (1 Important, 3 Moderate) in the mysql55 updates.
And is the same true for C6, which comes with mysql 5.1, that one should use mysql55 from SCL instead? Why, or why not?
No, I would use the version of mysql that is supported in the distro. For EL5, the supported version is the mysql55. For EL6 it is the mysql-5.1 version.
In article 55D20981.7030902@centos.org, Johnny Hughes johnny@centos.org wrote:
On 08/17/2015 10:57 AM, Tony Mountifield wrote:
I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections.
If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again.
I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn't matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl.
When it works with the old libssl, I can confirm that SSL is in use:
mysql> \s
mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1
Connection id: 2 Current database: Current user: root@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA
The error with the new libssl looks like this:
[root@hostname ~]# mysql ERROR 2026 (HY000): SSL connection error
Has anyone else come across this? Is it a bug in SSL? Or a new restriction? Do I need to regenerate my certificates using the new openssl?
Cheers Tony
You should now be using mysql55 on CentOS-5, not mysql-5.0
That may well be the case, but isn't relevant to the point I'm making, which is that something changed in openssl-0.9.8e-36 that has broken something.
Cheers Tony
On 8/18/2015 1:27 AM, Tony Mountifield wrote:
You should now be using mysql55 on CentOS-5, not mysql-5.0
That may well be the case, but isn't relevant to the point I'm making, which is that something changed in openssl-0.9.8e-36 that has broken something.
mysql 5.0 and openssl 0.9.8 are both ancient and way past their expiration date.
In article 55D2ED32.6040000@hogranch.com, John R Pierce pierce@hogranch.com wrote:
On 8/18/2015 1:27 AM, Tony Mountifield wrote:
You should now be using mysql55 on CentOS-5, not mysql-5.0
That may well be the case, but isn't relevant to the point I'm making, which is that something changed in openssl-0.9.8e-36 that has broken something.
mysql 5.0 and openssl 0.9.8 are both ancient and way past their expiration date.
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017.
Cheers Tony
Am 18.08.2015 um 10:55 schrieb tony@softins.co.uk (Tony Mountifield):
In article 55D2ED32.6040000@hogranch.com, John R Pierce pierce@hogranch.com wrote:
On 8/18/2015 1:27 AM, Tony Mountifield wrote:
That may well be the case, but isn't relevant to the point I'm making, which is that something changed in openssl-0.9.8e-36 that has broken something.
mysql 5.0 and openssl 0.9.8 are both ancient and way past their expiration date.
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017.
important in this case is, that a different combination of software packages, that are not in the scenario of upstreams philosophy, are not supported and can lead to unexpected behavior. As always recommended by any advisory: "Before applying this update, make sure all previously released errata relevant to your system have been applied."
Why EL5 is on MySQL 5.5 and EL6 on MySQL 5.1 is a different question (only upstream can answer). I recommended to update your (client and server) systems to the current supported state (5.11) with all relevant updates applied. This includes the mentioned migration to mysql55-mysql. Our EL5 setup/service passes this migration seamless. And then check your problem in this new environment ...
-- LF
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017.
rpm -q --changelog openssl-0.9.8e. You weren't clear which version you upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 (from March 2014, nevertheless), which works.
I would hazard a guess that this is the change causing your problem.
* Fri Jun 26 2015 Tomas Mraz tmraz@redhat.com 0.9.8e-36 - also change the default DH parameters in s_server to 1024 bits
Here's some more info,
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
RH must have backported this fix to 0.9.8e.
There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you're most likely on your own. I'm quite ignorant of mysql, but it looks like you may be able to get this to work again by changing the cipher in mysql and regenerating your cert.
https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl...
Am 18.08.2015 um 11:27 schrieb lhecking@users.sourceforge.net:
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017.
rpm -q --changelog openssl-0.9.8e. You weren't clear which version you upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 (from March 2014, nevertheless), which works.
I would hazard a guess that this is the change causing your problem.
- Fri Jun 26 2015 Tomas Mraz tmraz@redhat.com 0.9.8e-36
- also change the default DH parameters in s_server to 1024 bits
Here's some more info,
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
RH must have backported this fix to 0.9.8e.
There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you're most likely on your own. I'm quite ignorant of mysql, but it looks like you may be able to get this to work again by changing the cipher in mysql and regenerating your cert.
https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl...
http://lists.centos.org/pipermail/centos/2015-July/153753.html
-- LF
On 08/18/2015 02:32 AM, Leon Fauster wrote:
Am 18.08.2015 um 11:27 schrieb lhecking@users.sourceforge.net:
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017.
rpm -q --changelog openssl-0.9.8e. You weren't clear which version you upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 (from March 2014, nevertheless), which works.
I would hazard a guess that this is the change causing your problem.
- Fri Jun 26 2015 Tomas Mraz tmraz@redhat.com 0.9.8e-36
- also change the default DH parameters in s_server to 1024 bits
Here's some more info,
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
RH must have backported this fix to 0.9.8e.
There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you're most likely on your own. I'm quite ignorant of mysql, but it looks like you may be able to get this to work again by changing the cipher in mysql and regenerating your cert.
https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl...
http://lists.centos.org/pipermail/centos/2015-July/153753.html
-- LF
That makes sense, and the issue is logjam vulnerability with DH cipher groups < 1024 bit.
In article 013173C7-6AEC-4C2D-9EB7-84C873C89028@googlemail.com, Leon Fauster leonfauster@googlemail.com wrote:
Am 18.08.2015 um 11:27 schrieb lhecking@users.sourceforge.net:
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017.
rpm -q --changelog openssl-0.9.8e. You weren't clear which version you upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 (from March 2014, nevertheless), which works.
I would hazard a guess that this is the change causing your problem.
- Fri Jun 26 2015 Tomas Mraz tmraz@redhat.com 0.9.8e-36
- also change the default DH parameters in s_server to 1024 bits
Here's some more info,
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
RH must have backported this fix to 0.9.8e.
There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you're most likely on your own. I'm quite ignorant of mysql, but it looks like you may be able to get this to work again by changing the cipher in mysql and regenerating your cert.
https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl...
http://lists.centos.org/pipermail/centos/2015-July/153753.html
Cool - that looks like the answer. Just tried it successfully.
Many thanks!
Tony
In article 20150818092704.GA13601@users.sourceforge.net, lhecking@users.sourceforge.net wrote:
Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn't EOL until March 2017.
rpm -q --changelog openssl-0.9.8e. You weren't clear which version you upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1 (from March 2014, nevertheless), which works.
I would hazard a guess that this is the change causing your problem.
- Fri Jun 26 2015 Tomas Mraz tmraz@redhat.com 0.9.8e-36
- also change the default DH parameters in s_server to 1024 bits
Here's some more info,
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
RH must have backported this fix to 0.9.8e.
There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you're most likely on your own. I'm quite ignorant of mysql, but it looks like you may be able to get this to work again by changing the cipher in mysql and regenerating your cert.
https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl...
Interesting... many thanks for the pointers! Something for me to experiment with...
Cheers Tony
-
Alice Wonder -
John R Pierce -
Johnny Hughes -
Leon Fauster -
lhecking@users.sourceforge.net -
tony@softins.co.uk