> From: owner-openssl-us...@openssl.org On Behalf Of Artur Slowik
> Sent: Tuesday, 28 December, 2010 08:31
> I work on fedora 13 with openssl 1.0.0.c and mysql server
> 5.1. I have a
> strange situation. When I create certyificat on server and
> setup mysql
> to use this certyficat, client mysql on this host connect with ssl
> encription correctly. From other many Fedora 13 also
> correctly but from
> Debian and windows xp Mysql return error 2026. If certificates are
> generated on Debian with openssl 0.98 and here is mysql
> server with ssl,
> Windows xp and other host communicate properly certified with
> mysql on
Did you issue certificate(s) for, and distribute to, the client(s)?
You don't mention it, but it is included in the 'normal' setup
in 5.5.6 of the MySQL 5.1 manual (at least the version I have).
> Where is problem. Below ssldump of server:
I assume this is a connection attempt to the Fedora server
from one of the clients that has a problem (Debian,Windows)?
> 1 1 0.0035 (0.0035) C>S V3.1(89) Handshake
> ClientHello <snip>
> 1 2 0.0149 (0.0114) S>C V3.1(74) Handshake
> ServerHello <snip:DHE-RSA-AES256CBC-SHA,nocompress>
> 1 3 0.0150 (0.0001) S>C V3.1(1797) Handshake
> Certificate [no data - did you snip?]
> 1 4 0.0150 (0.0000) S>C V3.1(397) Handshake
> ServerKeyExchange <snip: EDH>
> 1 5 0.0150 (0.0000) S>C V3.1(15) Handshake
> CertificateRequest <snip>
> 1 6 0.0188 (0.0037) C>S V3.1(70) Handshake
> ClientKeyExchange <snip: EDH>
> 1 7 0.0188 (0.0000) C>S V3.1(1) ChangeCipherSpec
> 1 8 0.0188 (0.0000) C>S V3.1(48) Handshake
[presumably encrypted Finished, not decoded]
> 1 9 0.0189 (0.0001) S>C V3.1(2) Alert
> level fatal
> value unexpected_message
> 1 0.0192 (0.0002) S>C TCP FIN
> 1 0.0194 (0.0002) C>S TCP FIN
This trace shows no client certificate (aka authentication).
Are your mysqld server(s), and mysql client(s), using OpenSSL
or yaSSL? The mysql doc says yaSSL is the default, and the
prebuilt Windows packages I get from mysql.com seem to use that,
at least there are no references to the OpenSSL DLLs,
but (some/all?) Linux packaging could well be different.
OpenSSL s_client, both 0.9.8 and 1.0.0, sends an empty
(but still present) client-Certificate for client auth
requested but not available, which is correct per RFC2246
(and warning41=no_certificate for SSL3, didn't check).
So this doesn't look like client using OpenSSL unless
it's an option I don't see, or badly hacked up.
I can imagine, but can't easily test, that OpenSSL server
would reject such a missing client-Cert. According to my
limited testing (of Windows package) (this) yaSSL client
skips cli-Cert entirely and yaSSL server accepts this
(as unauth, so the app rejects if 'REQUIRE X509' is set).
If you are generating client cert&key on 1.0.0* and
trying to use it on client(s) using yaSSL, the problem
might possibly be that 1.0.0 'req' writes the privkey
file as PKCS#8 (generic) instead of algorithm-specific
(RSA, DSA, ECDSA) formats as in the past. OpenSSL 0.9.8
(client) can read both, but I don't know about yaSSL.
You might try using openssl 'rsa' to convert the client
keyfile to the old (PKCS#1 for RSA) format, similar to
the step shown in 'Example 2' to convert a keyfile
to unprotected (which is actually a silly sequence to do,
but it's their example, and not actually wrong).
OpenSSL Project http://www.openssl.org
User Support Mailing List email@example.com
Automated List Manager majord...@openssl.org