C5 Recent Openssl Update Breaks Mysql SSL Connection

Home » CentOS » C5 Recent Openssl Update Breaks Mysql SSL Connection
CentOS 13 Comments

I recently applied updates to a CentOS 5 box running MySQL. I’ve discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
connections.

If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again.

I then performed cross-checks using the server with new libssl and the client with old, and then vice versa. What I found was that it didn’t matter whether the server was started with the old libssl or the new libssl. In both cases, the mysql client would only connect using the old libssl, and not when using the new libssl.

When it works with the old libssl, I can confirm that SSL is in use:

mysql> \s
————

13 thoughts on - C5 Recent Openssl Update Breaks Mysql SSL Connection

  • In article <55D20981.7030902@CentOS.org>, Johnny Hughes wrote:

    That may well be the case, but isn’t relevant to the point I’m making, which is that something changed in openssl-0.9.8e-36 that has broken something.

    Cheers Tony

  • In article <55D2174F.70509@CentOS.org>, Johnny Hughes wrote:

    Thanks. I eventually found the more specific link at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-Migrating_from_MySQL_5.0_to_MySQL_5.5.html

    However, the only “why” I could find was “Red Hat will not issue any more security advisories for the MySQL 5.0 packages (mysql-5.0.* and related packages). Security advisories will be provided only for MySQL 5.5.”
    Nothing to indicate that anything in 5.0 is inherently broken. Are there any more specific reasons? It appears to be working fine.

    And is the same true for C6, which comes with mysql 5.1, that one should use mysql55 from SCL instead? Why, or why not?

    Cheers Tony

  • In article <55D2ED32.6040000@hogranch.com>, John R Pierce wrote:

    Maybe so, but still a side issue. Openssl 0.9.8e was recently updated. Some change in this update has broken something. I would like to understand what, and so ought the package maintainers. C5 isn’t EOL until March 2017.

    Cheers Tony

  • Am 18.08.2015 um 10:55 schrieb tony@softins.co.uk (Tony Mountifield):

    important in this case is, that a different combination of software packages, that are not in the scenario of upstreams philosophy, are not supported and can lead to unexpected behavior. As always recommended by any advisory: “Before applying this update, make sure all previously released errata relevant to your system have been applied.”

    Why EL5 is on MySQL 5.5 and EL6 on MySQL 5.1 is a different question (only upstream can answer). I recommended to update your (client and server) systems to the current supported state (5.11) with all relevant updates applied. This includes the mentioned migration to mysql55-mysql. Our EL5 setup/service passes this migration seamless. And then check your problem in this new environment …

  • rpm -q –changelog openssl-0.9.8e. You weren’t clear which version you upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1
    (from March 2014, nevertheless), which works.

    I would hazard a guess that this is the change causing your problem.

    * Fri Jun 26 2015 Tomas Mraz 0.9.8e-36
    – also change the default DH parameters in s_server to 1024 bits

    Here’s some more info,

    https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

    RH must have backported this fix to 0.9.8e.

    There seem to be many reports out there that the openssl update broke mysql, but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1, so you’re most likely on your own. I’m quite ignorant of mysql, but it looks like you may be able to get this to work again by changing the cipher in mysql and regenerating your cert.

    https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-CentOS-5.4

  • In article <20150818092704.GA13601@users.sourceforge.net>,
    wrote:

    Interesting… many thanks for the pointers! Something for me to experiment with…

    Cheers Tony

  • In article <013173C7-6AEC-4C2D-9EB7-84C873C89028@googlemail.com>, Leon Fauster wrote:

    Cool – that looks like the answer. Just tried it successfully.

    Many thanks!

    Tony

  • Working fine is NOT secure. The fact that they have not issued any security update for MySQL 5.0 since mid 2013 .. and since then there have been 4 security issues fixed in EL5 (1 Important, 3 Moderate) in the mysql55 updates.

    No, I would use the version of mysql that is supported in the distro. For EL5, the supported version is the mysql55. For EL6 it is the mysql-5.1 version.