On connecting to MySQL via SSL getting ERROR 2026 (HY000): SSL connection error: protocol version mismatch
https://bugs.mysql.com/bug.php?id=64870
At the bottom:
If you're using 'openssl req -newkey rsa:2048 ...' to generate keys, please be advised that openssl 1.0 and newer now stores private keys in the PKCS#8 format instead of PKCS#1.
Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. [Steve Henson]
These keys will have a PEM header such as:
-----BEGIN PRIVATE KEY-----
If MySQL is compiled with YaSSL as its SSL implementation (which I believe is the default), these keys won't load and MySQL will complain at startup: [Warning] Failed to setup SSL [Warning] SSL error: Unable to get private key
YaSSL expects RSA private keys in the PKCS#1 format, with the PEM header:
-----BEGIN RSA PRIVATE KEY-----
Various "advices" online seem to suggest that you can change the PEM header and footer of those PKCS#8 private keys to get them to work with MySQL/yaSSL. That will indeed stop MySQL from complaining at startup, but unfortunately SSL connections against MySQL will still fail with something like:
**ERROR 2026 (HY000): SSL connection error: protocol version mismatch**
To fix this, convert the key to the older PKCS#1 RSAPrivateKey format using 'openssl rsa'.
$ openssl rsa -in key-from-openssl-1.pem -out pkcs1-yassl-compatible-key.pem
Comments
-
Shivam Bajpai almost 2 years
I am working with MySQL and generated the certificates to use with MySQL to enable SSL.
Here are SSL configs:
mysql> show variables like '%ssl%'; +---------------+----------------------------+ | Variable_name | Value | +---------------+----------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /etc/mysql/ca-cert.pem | | ssl_capath | | | ssl_cert | /etc/mysql/server-cert.pem | | ssl_cipher | | | ssl_key | /etc/mysql/server-key.pem | +---------------+----------------------------+ 7 rows in set (0.00 sec)
It seems to be working fine and looks like I did it well with applying the certificates with the MySQL server.
The problem exists with creating connection to MySQL server via remote host.
mysql -u app1 -p -h 192.168.33.131 --ssl --ssl-capath=<path>/ssl/ --ssl-ca=<path>/ca-cert.pem --ssl-cert=<path>/client-cert.pem --ssl-key=<path>/client-key.pem Enter password: ERROR 2026 (HY000): SSL connection error: protocol version mismatch
Seems to be having some issues with certificates or may be something else.
Environment:
OS: Ubuntu 14.04 MySQL: 5.5.41 OpenSSL: OpenSSL 1.0.1f 6 Jan 2014