The Ultimate Guide to High Availability with MariaDB

SSL with other Clients than the original MariaDB-client?

It seems to be that there is a difference in handling the SSL handshake at the MariaDB-Server (5.2 or below) in contrast to the Mysql-Server 5.1. All JDBC-Clients can sucessfully connect to the Mysql-Server 5.1 via SSL, but with MariaDB-Server not. Without SSL all JDBC-Clients can sucessfully connect to MariaDB.

Both server run with the same CA-, Server- and Client-Certificates and I have made the following tests (all with MariaDB Server 5.2.10 and also tested with 5.1.60 from the Deb-Repository):

  • Mysql-Client (5.1) cannot connect to MariaDB Server: "ERROR 2026 (HY000): SSL connection error"
  • Mysql-connector/J cannot connect to MariaDB Server: TLSv1 Handshake fails with "unexpected message" after ClientHello
  • Drizzle JDBC cannot connect to MariaDB-Server: TLSv1 Handshake fails also with "unexpected message" after ClientHello
  • Original MariaDB-Client (5.2) can connect easily via SSL with the CA-Certificate to MariaDB-Server.

It seems to be a general communication problem in the SSL-Handshake after ClientHello.

Is it a bug or a feature?

Debug-Log of Java:

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
  ClientHello, TLSv1
RandomCookie:  GMT: 1328138424 bytes
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, 

SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, 
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 

Compression Methods:  { 0 } 

[write] MD5 and SHA1 hashes:  len = 75 

main, WRITE: TLSv1 Handshake, length = 75 

[Raw write]: length = 80 

[Raw read]: length = 5 

0000: 16 00 00 02 FF                                     .....

main, handling exception: javax.net.ssl.SSLException: Unsupported record version Unknown-0.0

main, SEND TLSv1 ALERT:  fatal, description = unexpected_message

main, WRITE: TLSv1 Alert, length = 2

Answer

This bug is now fixed in 5.1 and later versions. The fix should be part of the next release (next 5.1, next 5.2, etc).

http://bazaar.launchpad.net/~maria-captains/maria/5.1/revision/3117.1.3

Comments

Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.