[CentOS] C5 recent openssl update breaks mysql SSL connection

Tue Aug 18 13:40:44 UTC 2015
Johnny Hughes <johnny at centos.org>

On 08/18/2015 03:47 AM, Tony Mountifield wrote:
> In article <55D2174F.70509 at centos.org>,
> Johnny Hughes <johnny at centos.org> wrote:
>> On 08/17/2015 11:19 AM, Johnny Hughes wrote:
>>> On 08/17/2015 10:57 AM, Tony Mountifield wrote:
>>>> I recently applied updates to a CentOS 5 box running MySQL. I've discovered
>>>> that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
>>>> connections.
>>>>
>>>> If I rename /lib/libssl.so.0.9.8e and replace it with the old version of
>>>> that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next
>>>> oldest, but it was handy), then SSL connection to MySQL works again.
>>>>
>>>> I then performed cross-checks using the server with new libssl and the
>>>> client with old, and then vice versa. What I found was that it didn't
>>>> matter whether the server was started with the old libssl or the new libssl.
>>>> In both cases, the mysql client would only connect using the old libssl,
>>>> and not when using the new libssl.
>>>>
>>>> When it works with the old libssl, I can confirm that SSL is in use:
>>>>
>>>> mysql> \s
>>>> --------------
>>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (i386) using readline 5.1
>>>>
>>>> Connection id:          2
>>>> Current database:
>>>> Current user:           root at localhost
>>>> SSL:                    Cipher in use is DHE-RSA-AES256-SHA
>>>>
>>>> The error with the new libssl looks like this:
>>>>
>>>> [root at hostname ~]# mysql
>>>> ERROR 2026 (HY000): SSL connection error
>>>>
>>>> Has anyone else come across this? Is it a bug in SSL? Or a new restriction?
>>>> Do I need to regenerate my certificates using the new openssl?
>>>>
>>>> Cheers
>>>> Tony
>>>>
>>>
>>> You should now be using mysql55 on CentOS-5, not mysql-5.0
>>
>> In case you did not understand my post, here is how one is supposed to
>> move from mysql-5.0 to mysql55 and why:
>>
>> https://rhn.redhat.com/errata/RHEA-2013-1329.html
>>
>> https://rhn.redhat.com/errata/RHEA-2013-1330.html
> 
> Thanks. I eventually found the more specific link at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-Migrating_from_MySQL_5.0_to_MySQL_5.5.html
> 
> However, the only "why" I could find was "Red Hat will not issue any more
> security advisories for the MySQL 5.0 packages (mysql-5.0.* and related
> packages). Security advisories will be provided only for MySQL 5.5."
> Nothing to indicate that anything in 5.0 is inherently broken. Are there
> any more specific reasons? It appears to be working fine.
> 

Working fine is NOT secure.  The fact that they have not issued any
security update for MySQL 5.0 since mid 2013 .. and since then there
have been 4 security issues fixed in EL5 (1 Important, 3 Moderate) in
the mysql55 updates.

> And is the same true for C6, which comes with mysql 5.1, that one should
> use mysql55 from SCL instead? Why, or why not?
> 

No, I would use the version of mysql that is supported in the distro.
For EL5, the supported version is the mysql55.  For EL6 it is the
mysql-5.1 version.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20150818/df5ec46b/attachment-0005.sig>