0

After openssl is upgraded to openssl.x86_64 0:1.0.1e-30.el6.9 mysql connections to CloudSQL start to fail with the following error.

ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

If I connect from another server that isn't yet upgraded and check for SSL cipher this is what I see.

[root@myhostname ~]# mysql -e "SHOW STATUS LIKE 'ssl_cipher'\G"
Variable_name: Ssl_cipher
Value: DHE-RSA-AES256-SHA

So if go back to the server with upgraded version if I check for the cipher I see the following (identical on both servers).

[root@myhostname ~]# openssl ciphers -v "AES" | grep DHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

I am not an expert with SSL ciphers and encryptions. So what am I missing that may be causing this issue? The only way to fix for now was to downgrade openssl & openssl-devel.

[root@myhostname ~]# yum downgrade openssl*

Running the following from working server and non-working server returns the same error. Where cert, key, ca files are the files used to connect to the CloudSQL instance. 

openssl s_client -connect <ip>:3306 -tls1 -cert client-cert.pem -key client-key.pem -CAfile server-ca.pem | openssl x509 -text -noout

Returns the following error. But on both servers working and not working.

140582014740296:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
unable to load certificate
140388473263944:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
pensivepie
  • 106
  • 1
  • 6
  • Please state the cipher string you are using on the server. Please post the exact URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, there's not enough information to help troubleshoot it. – jww Jun 08 '15 at 10:39
  • I added the output to question. – pensivepie Jun 08 '15 at 14:46
  • Add the `-servername` option to your `openssl s_client` command. You might also try `-tls1_2`. – jww Jun 08 '15 at 15:10
  • You might also take a look at [Error 0x1408F10B: "SSL3_GET_RECORD:wrong version number" with PayPal SDK](http://stackoverflow.com/q/26378351). One of the things it suggest is to update to the latest SDKs and APIs. – jww Jun 08 '15 at 15:50
  • Thanks. I tried with and without -servername with same response. I would think it would be the opposite of Poodle upgrade since it is the newer version not working instead of older version not working. – pensivepie Jun 08 '15 at 16:15

0 Answers0