> From: owner-openssl-us...@openssl.org On Behalf Of Artur Slowik
> Sent: Tuesday, 28 December, 2010 08:31

> Hello
> I work on fedora 13 with openssl 1.0.0.c and mysql server 
> 5.1. I have a 
> strange situation. When I create certyificat on server and 
> setup mysql 
> to use this certyficat, client mysql on this host connect with ssl 
> encription correctly. From other many Fedora 13 also 
> correctly but from 
> Debian and windows xp Mysql return error 2026. If certificates are 
> generated on Debian with openssl 0.98 and here is mysql 
> server with ssl, 
> Windows xp and other host communicate properly certified with 
> mysql on 
> debian.

Did you issue certificate(s) for, and distribute to, the client(s)?
You don't mention it, but it is included in the 'normal' setup 
in 5.5.6 of the MySQL 5.1 manual (at least the version I have).

> Where is problem. Below ssldump of server:
I assume this is a connection attempt to the Fedora server 
from one of the clients that has a problem (Debian,Windows)?
> 1 1  0.0035 (0.0035)  C>S V3.1(89)  Handshake
>       ClientHello <snip>
> 1 2  0.0149 (0.0114)  S>C V3.1(74)  Handshake
>       ServerHello <snip:DHE-RSA-AES256CBC-SHA,nocompress>
> 1 3  0.0150 (0.0001)  S>C V3.1(1797)  Handshake
>       Certificate [no data - did you snip?]
> 1 4  0.0150 (0.0000)  S>C V3.1(397)  Handshake
>       ServerKeyExchange <snip: EDH>
> 1 5  0.0150 (0.0000)  S>C V3.1(15)  Handshake
>       CertificateRequest <snip>
>       ServerHelloDone
> 1 6  0.0188 (0.0037)  C>S V3.1(70)  Handshake
>       ClientKeyExchange <snip: EDH>
> 1 7  0.0188 (0.0000)  C>S V3.1(1)  ChangeCipherSpec
> 1 8  0.0188 (0.0000)  C>S V3.1(48)  Handshake
[presumably encrypted Finished, not decoded]
> 1 9  0.0189 (0.0001)  S>C V3.1(2)  Alert
>     level           fatal
>     value           unexpected_message
> 1    0.0192 (0.0002)  S>C  TCP FIN
> 1    0.0194 (0.0002)  C>S  TCP FIN
This trace shows no client certificate (aka authentication).

Are your mysqld server(s), and mysql client(s), using OpenSSL 
or yaSSL? The mysql doc says yaSSL is the default, and the 
prebuilt Windows packages I get from mysql.com seem to use that, 
at least there are no references to the OpenSSL DLLs, 
but (some/all?) Linux packaging could well be different.

OpenSSL s_client, both 0.9.8 and 1.0.0, sends an empty 
(but still present) client-Certificate for client auth 
requested but not available, which is correct per RFC2246 
(and warning41=no_certificate for SSL3, didn't check).
So this doesn't look like client using OpenSSL unless 
it's an option I don't see, or badly hacked up.

I can imagine, but can't easily test, that OpenSSL server 
would reject such a missing client-Cert. According to my 
limited testing (of Windows package) (this) yaSSL client 
skips cli-Cert entirely and yaSSL server accepts this 
(as unauth, so the app rejects if 'REQUIRE X509' is set).

If you are generating client cert&key on 1.0.0* and 
trying to use it on client(s) using yaSSL, the problem 
might possibly be that 1.0.0 'req' writes the privkey 
file as PKCS#8 (generic) instead of algorithm-specific 
(RSA, DSA, ECDSA) formats as in the past. OpenSSL 0.9.8 
(client) can read both, but I don't know about yaSSL.
You might try using openssl 'rsa' to convert the client 
keyfile to the old (PKCS#1 for RSA) format, similar to 
the step shown in 'Example 2' to convert a keyfile 
to unprotected (which is actually a silly sequence to do,
but it's their example, and not actually wrong).

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to