Reputation: 1398
What ciphers do I have available in MySQL Client?
I am having the cryptic error when trying to connect to a remote MySQL 5.6 (Percona node) server with mysql and Workbench using SSL. I have made my own signed certificates and my own CA.
mysql -h host -p -u user --ssl-ca=ca-cert.pem
ERROR 2026 (HY000): SSL connection error: protocol version mismatch
I have read around that I should include the cipher option. So I SSH into the server and rerun the same command (without the host) to pluck the cipher for the local connection.
mysql> show session status like '%cipher';
+---------------+-----------------------------+
| Variable_name | Value |
+---------------+-----------------------------+
| Ssl_cipher | ECDHE-RSA-AES128-GCM-SHA256 |
+---------------+-----------------------------+
When I retry including the cipher I get the next error message.
mysql -h host -p -u user --ssl-ca=ca-cert.pem --ssl-cipher=ECDHE-RSA-AES128-GCM-SHA256
ERROR 2026 (HY000): SSL connection error: Failed to set ciphers to use
I understand from Connect to MySQL using SHA2 that my client is most likely incapable of using SHA256 or higher to connect.
I checked the available server ciphers that do not have high SHA:
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-DSS-AES128-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
AES128-SHA
DH-DSS-AES128-SHA
ECDH-ECDSA-AES128-SHA
AES256-SHA
DH-DSS-AES256-SHA
ECDH-ECDSA-AES256-SHA
I've tried these ciphers to no avail. Can anyone help me diagnose the issue? Could it be a problem with my certificates? or are the certificates determining the cipher?
Update: linked libraries
I have checked my server, mysqld's SSL is linked against
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
Nevertheless, I know for a fact that the Percona version is linked against OpenSSL. The client is compiled against
linux-vdso.so.1 =>
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6
/lib64/ld-linux-x86-64.so.2```
I don't see anything SSL related there but libdl is present which means that there might be dynamic loading. However, I suspect that this client may well be compiled for YaSSL.
Upvotes: 0
Views: 4785
Answers (1)
Reputation: 562398
Read the manual page https://dev.mysql.com/doc/refman/5.7/en/encrypted-connection-protocols-ciphers.html
It lists the ciphers that MySQL passes to OpenSSL and yaSSL. Your client may be compiled with one or the other of OpenSSL or yaSSL.
Upvotes: 1
Related Questions
- install mysql keyring plugin
- MySQL - SSL - with TLS1.2 cipher AES256-SHA256 / DHE-RSA-AES256-SHA256
- Perl TLS1.2 to MySql Db
- MySQL Encryption
- Mysql: How can i know whether my mysql binary has ssl support or not
- How to use MySQL aes_encrypt and aes_decrypt?
- MySQL connection and security
- Which databases support encryption
- php mysql_connect security
- Is the specification of ssl-cipher enough to secure a MySQL client connection to a SSL Enabled MySQL Server