> From: owner-openssl-us...@openssl.org On Behalf Of Artur Slowik > Sent: Tuesday, 28 December, 2010 08:31
> Hello > I work on fedora 13 with openssl 1.0.0.c and mysql server > 5.1. I have a > strange situation. When I create certyificat on server and > setup mysql > to use this certyficat, client mysql on this host connect with ssl > encription correctly. From other many Fedora 13 also > correctly but from > Debian and windows xp Mysql return error 2026. If certificates are > generated on Debian with openssl 0.98 and here is mysql > server with ssl, > Windows xp and other host communicate properly certified with > mysql on > debian. Did you issue certificate(s) for, and distribute to, the client(s)? You don't mention it, but it is included in the 'normal' setup in 5.5.6 of the MySQL 5.1 manual (at least the version I have). > Where is problem. Below ssldump of server: > I assume this is a connection attempt to the Fedora server from one of the clients that has a problem (Debian,Windows)? > > > 1 1 0.0035 (0.0035) C>S V3.1(89) Handshake > ClientHello <snip> > 1 2 0.0149 (0.0114) S>C V3.1(74) Handshake > ServerHello <snip:DHE-RSA-AES256CBC-SHA,nocompress> > 1 3 0.0150 (0.0001) S>C V3.1(1797) Handshake > Certificate [no data - did you snip?] > 1 4 0.0150 (0.0000) S>C V3.1(397) Handshake > ServerKeyExchange <snip: EDH> > 1 5 0.0150 (0.0000) S>C V3.1(15) Handshake > CertificateRequest <snip> > ServerHelloDone > 1 6 0.0188 (0.0037) C>S V3.1(70) Handshake > ClientKeyExchange <snip: EDH> > 1 7 0.0188 (0.0000) C>S V3.1(1) ChangeCipherSpec > 1 8 0.0188 (0.0000) C>S V3.1(48) Handshake [presumably encrypted Finished, not decoded] > 1 9 0.0189 (0.0001) S>C V3.1(2) Alert > level fatal > value unexpected_message > 1 0.0192 (0.0002) S>C TCP FIN > 1 0.0194 (0.0002) C>S TCP FIN > This trace shows no client certificate (aka authentication). Are your mysqld server(s), and mysql client(s), using OpenSSL or yaSSL? The mysql doc says yaSSL is the default, and the prebuilt Windows packages I get from mysql.com seem to use that, at least there are no references to the OpenSSL DLLs, but (some/all?) Linux packaging could well be different. OpenSSL s_client, both 0.9.8 and 1.0.0, sends an empty (but still present) client-Certificate for client auth requested but not available, which is correct per RFC2246 (and warning41=no_certificate for SSL3, didn't check). So this doesn't look like client using OpenSSL unless it's an option I don't see, or badly hacked up. I can imagine, but can't easily test, that OpenSSL server would reject such a missing client-Cert. According to my limited testing (of Windows package) (this) yaSSL client skips cli-Cert entirely and yaSSL server accepts this (as unauth, so the app rejects if 'REQUIRE X509' is set). If you are generating client cert&key on 1.0.0* and trying to use it on client(s) using yaSSL, the problem might possibly be that 1.0.0 'req' writes the privkey file as PKCS#8 (generic) instead of algorithm-specific (RSA, DSA, ECDSA) formats as in the past. OpenSSL 0.9.8 (client) can read both, but I don't know about yaSSL. You might try using openssl 'rsa' to convert the client keyfile to the old (PKCS#1 for RSA) format, similar to the step shown in 'Example 2' to convert a keyfile to unprotected (which is actually a silly sequence to do, but it's their example, and not actually wrong). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org