http://bugzilla.opensuse.org/show_bug.cgi?id=936888 Bug ID: 936888 Summary: After updating to openssl-1.0.1k-11.72.1 mySQL SSL connections fail Classification: openSUSE Product: openSUSE 13.1 Version: Final Hardware: x86-64 OS: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: pszaban@wne.edu QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Not sure if this is an actual bug, or an intentional change in the way openssl works with mySQL (MariaDB). Here's what happened: I have been successfully making encrypted SQL connections using only a server side certificate for many months. After replacing openssl 1.0.1k-11.68.1 x86_64 with openssl 1.0.1k-11.72.1 (this was a security update,) mySQL client connections started to fail with: $ mysql -u user1 -h host.example.com --ssl-ca=/usr/local/ssl/certs/cacert4.pem ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1) I am using a self signed server side certificate (no client side certificate). While searching for similar problems on the 'net, I found suggestions to verify the certificate name matches the server DNS names, and to make sure CA signer name differs from host certificate CN name. Those problems are not the case here. The CN name of the server certificate does match the DNS name of the server, and the CA certificate name is different from the server certificate name. The issue does have something to do with a change made to openssl, or one of the associated libopenssl rpms between 1.0.1k-11.68.1 and 1.0.1k-11.72.1. The issue disappears when I do: # rpm --oldpackage -Uvh libopenssl1_0_0-1.0.1k-11.68.1.x86_64.rpm libopenssl-devel-1.0.1k-11.68.1.x86_64.rpm openssl-1.0.1k-11.68.1.x86_64.rpm $ rpm -qa | egrep '(openssl|mysql)' libopenssl1_0_0-32bit-1.0.1k-11.72.1.x86_64 libmysqlcppconn6-1.1.2-4.1.3.x86_64 libopenssl1_0_0-1.0.1k-11.68.1.x86_64 libmysqlclient_r18-5.5.33-2.2.x86_64 openssl-1.0.1k-11.68.1.x86_64 libmysqlclient-devel-5.5.33-2.2.x86_64 libmysqld18-5.5.33-2.2.x86_64 libqt4-sql-mysql-4.8.5-5.17.1.x86_64 libmysqlclient18-5.5.33-2.2.x86_64 libreoffice-base-drivers-mysql-4.1.6.2-37.1.x86_64 libopenssl-devel-1.0.1k-11.68.1.x86_64 $ mysql -u user1 -h host.example.com --ssl-ca=/usr/local/ssl/certs/cacert4.pem Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 1395 Server version: 5.5.33-MariaDB openSUSE package Copyright (c) 2000, 2013, Oracle, Monty Program Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> When I find some time to get back to this, I'll try to look into what changed in openssl, and what I can change to be successful with the new openssl update.. For now, I wanted to get this post in as it might be helpful to others who are pulling their hair out trying to figure out why something broke all of a sudden. Thank You! -- You are receiving this mail because: You are on the CC list for the bug.