HiveBrain v1.2.0
Get Started
← Back to all entries
debugsqlMinor

MySQL 5.1.66 SSL connection error ERROR 2026 (HY000)

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
error2026mysqlhy000sslconnection

Problem

UPDATE2

Using WireShark I found out the problem string (I hope I did):

28 | 9.582638 | 192.168.18.128 | 192.168.18.129 | MySQL Response Error 1043


And the error is (according to docs):

Error: 1043 SQLSTATE: 08S01 (ER_HANDSHAKE_ERROR)
Message: Bad handshake


Here are the screenshots of WireShark in two cases:

Connection from Windows 8 (Success):

Connection from CentOS (Fail):

Why does this happen?

UPDATE

One interesting notice:

I have successfully connected with Master DB using Windows 8 (192.168.18.1) by modifying ssluser setting on Master for 192.168.18.1 host - made a change: from REQUIRE SSL to REQUIRE X509. However this doesn't work in our case with slave-to-master connection.

I have faced with SSL replication problem in CentOS-6.3. I am using OpenSSL to create both clients and server certificates and both clients and server certificates are signed by the same CA.

Server IP: 192.168.18.128
Slave  IP: 192.168.18.129
MySQL version 5.1.66 SSL


All certificates I receive using "Setting Up SSL Certificates and Keys for MySQL" section of MySQL help pages.

Server's my.cnf file:

[mysqld]
ssl-key=/etc/mysql/certs/server-key.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-ca=/etc/mysql/certs/ca-cert.pem


Client's my.cnf file:

[client]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem


On Master I setup slave user with SSL like this:

CREATE USER 'ssluser'@'192.168.18.129' IDENTIFIED BY 'sslpass';
GRANT REPLICATION SLAVE ON *.* TO 'ssluser'@'192.168.18.129' REQUIRE SSL;


To update Slave I am using the following command (according to show master status command):

```
SLAVE STOP;
CHANGE MASTER TO \
MASTER_HOST='192.168.18.128', \
MASTER_USER='sslreplicant', \
MASTER_PASSWORD='db.sslreplicantprimary', \
MASTER_LOG_FILE='mysql-bin.000026',

Solution

Try making certificate files owned by mysql user and not readable by others.

You can try also with a fixed cipher:

mysql ... --ssl-cipher=AES128-SHA

And for the change master:

CHANGE MASTER TO ... MASTER_SSL_CIPHER='AES128-SHA'

Context

StackExchange Database Administrators Q#31591, answer score: 2

Revisions (0)

No revisions yet.