[debian-mysql] Bug#674267: confirming

Nicholas Bamber nicholas at periapt.co.uk
Sun May 27 10:18:59 UTC 2012


tag 674267 +confirmed +upstream
retitle 674267   issues with SSL on i386 and kfreebsd-i386
thanks

The starting point is the build failures listed above. Those are the 
only architectures where it has been observed. It only happens when 
MySQL is built against the bundled yaSSL rather than openssl (which is a 
Debian requirement). It does not happen on squeeze. Within those 
parameters it appears to be 100% reproducible. I have to add one other 
test to the list: main.ssl_connect .

Within the Debian context there is a quick way to reproduce it:
1.) Install the mysql-testsuite-5.5 package.
2.) cd /usr/lib/mysql-testsuite
3.) ./mysql-test-run --enable-disabled --var=<suitable test area> 
main.ssl_connect  rpl.rpl_heartbeat_ssl rpl.rpl_ssl1 rpl.rpl_ssl 
main.ssl_cipher

To establish its upstream credentials one may build directly from the 
upstream tarball and arrive at the same conclusions. (This will not work 
on a kfreebsd-i386 machine because a Perl bug on that platfom prevents 
any tests from running unless Debian work around patches are applied.)

Now comes the question whether these are broken tests or an indication 
of a real problem. To avoid the certificates used being under suspicion 
I suggest using the certificates supplied with the test suite. (These 
look valid according to openssl tools.) I will describe what happens as 
one works one's way up the SSL configuration stack comparing i386 and amd64.

1.) Log into a fresh Debian MySQL i386 or amd64 install and run "show 
variables like '%ssl%';" and you will get:

mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_key       |          |
+---------------+----------+
7 rows in set (0.00 sec)

Don't be confused by "have_openssl". According to the MySQL 
documentation these two are aliases.

2.) Now set "ssl-ca=/usr/lib/mysql-testsuite/std_data/cacert.pem" in the 
[mysqld] section of the config and bounce the server. Now you would get 
on either platform:
mysql> show variables like '%ssl%';
+---------------+----------------------------------------------+
| Variable_name | Value                                        |
+---------------+----------------------------------------------+
| have_openssl  | YES                                          |
| have_ssl      | YES                                          |
| ssl_ca        | /usr/lib/mysql-testsuite/std_data/cacert.pem |
| ssl_capath    |                                              |
| ssl_cert      |                                              |
| ssl_cipher    |                                              |
| ssl_key       |                                              |
+---------------+----------------------------------------------+
7 rows in set (0.00 sec)

3.) Now set
ssl-cert=/usr/lib/mysql-testsuite/std_data/server-cert.pem
ssl-key=/usr/lib/mysql-testsuite/std_data/server-key.pem
and bounce the server. Now on either platform you will get:

mysql> show variables like '%ssl%';
+---------------+---------------------------------------------------+
| Variable_name | Value                                             |
+---------------+---------------------------------------------------+
| have_openssl  | YES                                               |
| have_ssl      | YES                                               |
| ssl_ca        | /usr/lib/mysql-testsuite/std_data/cacert.pem      |
| ssl_capath    |                                                   |
| ssl_cert      | /usr/lib/mysql-testsuite/std_data/server-cert.pem |
| ssl_cipher    |                                                   |
| ssl_key       | /usr/lib/mysql-testsuite/std_data/server-key.pem  |
+---------------+---------------------------------------------------+
7 rows in set (0.00 sec)

4.) Now the difference comes when you try to pass a --ssl-ca argument to 
the client. On amd64 you will get:

nicholas at taylor:/usr/lib/mysql-testsuite$ mysql -u root -p --ssl-ca 
/usr/lib/mysql-testsuite/std_data/cacert.pem
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 38
Server version: 5.5.23-2 (Debian) ...................................

On the i386 machine you will get:
nicholas at beaumont:~/var/log$ mysql -u root -p --ssl-ca 
/usr/lib/mysql-testsuite/std_data/cacert.pem
Enter password:
ERROR 2026 (HY000): SSL connection error: 
error:00000005:lib(0):func(0):DH lib
nicholas at beaumont:~/var/log$











More information about the pkg-mysql-maint mailing list