Tuesday, October 28, 2014

[Ubuntu 14.04] mysql with SSL: ERROR 2026 (HY000): SSL connection error: protocol version mismatch


I was trying to enable SSL on mysql in Ubuntu 14.04 and it was not easy.

1. Install simply, apt-get install mysql-client mysql-server and set a strong root password.
2. Generate openssl certs and enable SSL configurations in /etc/mysql/my.cnf like this:

#For the client: (localhost only)

[client]
port            = 3306
socket          = /var/run/mysqld/mysqld.sock
ssl=1
ssl-ca          = /etc/mysql/ca-cert.pem

[mysqld]
....
ssl=1
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem
ssl-cipher=DHE-RSA-AES256-SHA

Restart mysql, thats it. But while trying to connect (mysql -u root -p), I faced an error:

ERROR 2026 (HY000): SSL connection error: protocol version mismatch

Later I figured out, it was due to Bad certificates (well kind of..),

So generate the certificates using the commands here:
http://askubuntu.com/questions/194074/enabling-ssl-in-mysql

Once you connect, you can /s to confirm that your cipher is on:

--------------------------------------------------------------------------------------------

mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.5.38-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.5.38, for debian-linux-gnu (i686) using readline 6.3

Connection id: 36
Current database:
Current user: root@localhost
SSL: Cipher in use is DHE-RSA-AES256-SHA
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server version: 5.5.38-0ubuntu0.14.04.1 (Ubuntu)
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db     characterset: latin1
Client characterset: utf8
Conn.  characterset: utf8
UNIX socket: /var/run/mysqld/mysqld.sock
Uptime: 11 days 1 hour 4 min 49 sec

Threads: 1  Questions: 109  Slow queries: 0  Opens: 171  Flush tables: 1  Open tables: 41  Queries per second avg: 0.000
--------------

mysql>

--------------------------------------------------------------------------------------------

Now if you want to see mysql SSL in action using wireshark,

http://rhosted.blogspot.in/2014/10/mysql-tlsv1-capture-using-wireshark.html

More references:
http://askubuntu.com/questions/194074/enabling-ssl-in-mysql

Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)