[debian-mysql] Bug#674267: confirming
Nicholas Bamber
nicholas at periapt.co.uk
Sun May 27 10:18:59 UTC 2012
tag 674267 +confirmed +upstream
retitle 674267 issues with SSL on i386 and kfreebsd-i386
thanks
The starting point is the build failures listed above. Those are the
only architectures where it has been observed. It only happens when
MySQL is built against the bundled yaSSL rather than openssl (which is a
Debian requirement). It does not happen on squeeze. Within those
parameters it appears to be 100% reproducible. I have to add one other
test to the list: main.ssl_connect .
Within the Debian context there is a quick way to reproduce it:
1.) Install the mysql-testsuite-5.5 package.
2.) cd /usr/lib/mysql-testsuite
3.) ./mysql-test-run --enable-disabled --var=<suitable test area>
main.ssl_connect rpl.rpl_heartbeat_ssl rpl.rpl_ssl1 rpl.rpl_ssl
main.ssl_cipher
To establish its upstream credentials one may build directly from the
upstream tarball and arrive at the same conclusions. (This will not work
on a kfreebsd-i386 machine because a Perl bug on that platfom prevents
any tests from running unless Debian work around patches are applied.)
Now comes the question whether these are broken tests or an indication
of a real problem. To avoid the certificates used being under suspicion
I suggest using the certificates supplied with the test suite. (These
look valid according to openssl tools.) I will describe what happens as
one works one's way up the SSL configuration stack comparing i386 and amd64.
1.) Log into a fresh Debian MySQL i386 or amd64 install and run "show
variables like '%ssl%';" and you will get:
mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
Don't be confused by "have_openssl". According to the MySQL
documentation these two are aliases.
2.) Now set "ssl-ca=/usr/lib/mysql-testsuite/std_data/cacert.pem" in the
[mysqld] section of the config and bounce the server. Now you would get
on either platform:
mysql> show variables like '%ssl%';
+---------------+----------------------------------------------+
| Variable_name | Value |
+---------------+----------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /usr/lib/mysql-testsuite/std_data/cacert.pem |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------------------------------------------+
7 rows in set (0.00 sec)
3.) Now set
ssl-cert=/usr/lib/mysql-testsuite/std_data/server-cert.pem
ssl-key=/usr/lib/mysql-testsuite/std_data/server-key.pem
and bounce the server. Now on either platform you will get:
mysql> show variables like '%ssl%';
+---------------+---------------------------------------------------+
| Variable_name | Value |
+---------------+---------------------------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /usr/lib/mysql-testsuite/std_data/cacert.pem |
| ssl_capath | |
| ssl_cert | /usr/lib/mysql-testsuite/std_data/server-cert.pem |
| ssl_cipher | |
| ssl_key | /usr/lib/mysql-testsuite/std_data/server-key.pem |
+---------------+---------------------------------------------------+
7 rows in set (0.00 sec)
4.) Now the difference comes when you try to pass a --ssl-ca argument to
the client. On amd64 you will get:
nicholas at taylor:/usr/lib/mysql-testsuite$ mysql -u root -p --ssl-ca
/usr/lib/mysql-testsuite/std_data/cacert.pem
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 38
Server version: 5.5.23-2 (Debian) ...................................
On the i386 machine you will get:
nicholas at beaumont:~/var/log$ mysql -u root -p --ssl-ca
/usr/lib/mysql-testsuite/std_data/cacert.pem
Enter password:
ERROR 2026 (HY000): SSL connection error:
error:00000005:lib(0):func(0):DH lib
nicholas at beaumont:~/var/log$
More information about the pkg-mysql-maint
mailing list