1. 首页
  2. 问答
  3. 通过SSL连接到MySQL获取错误2026(HY000):SSL连接错误:协议版本不匹配

通过SSL连接到MySQL获取错误2026(HY000):SSL连接错误:协议版本不匹配

2015-02-24 993 views
7

我正在使用MySQL并生成证书以与MySQL一起使用来启用SSL。通过SSL连接到MySQL获取错误2026(HY000):SSL连接错误:协议版本不匹配

下面是SSL CONFIGS:

mysql> show variables like '%ssl%'; 
+---------------+----------------------------+ 
| Variable_name | Value      | 
+---------------+----------------------------+ 
| have_openssl | YES      | 
| have_ssl  | YES      | 
| ssl_ca  | /etc/mysql/ca-cert.pem  | 
| ssl_capath |       | 
| ssl_cert  | /etc/mysql/server-cert.pem | 
| ssl_cipher |       | 
| ssl_key  | /etc/mysql/server-key.pem | 
+---------------+----------------------------+ 
7 rows in set (0.00 sec)

这似乎是做工精细,看上去就像我与MySQL服务器应用证书做得很好。

通过远程主机创建与MySQL服务器的连接存在问题。

mysql -u app1 -p -h 192.168.33.131 --ssl --ssl-capath=<path>/ssl/ --ssl-ca=<path>/ca-cert.pem --ssl-cert=<path>/client-cert.pem --ssl-key=<path>/client-key.pem 
Enter password: 
ERROR 2026 (HY000): SSL connection error: protocol version mismatch

似乎是有问题的证书或可能是别的东西。

环境:

OS:  Ubuntu 14.04 
    MySQL: 5.5.41 
    OpenSSL: OpenSSL 1.0.1f 6 Jan 2014

来源

2015-02-24 Shivam Bajpai

+0

http://askubuntu.com/questions/194074/ HTTP://www.percona。 com/blog/2012/11/08/debugging-mysql-ssl-problems/https://bugs.mysql.com/bug.php?id=64870 – RandomSeed 2015-04-21 23:13:50

+3

Stack Overflow是一个用于编程和开发的站点的问题。这个问题似乎与题目无关,因为它不涉及编程或开发。请参阅帮助中心的[我可以询问哪些主题](http://stackoverflow.com/help/on-topic)。也许[超级用户](http://superuser.com/)或[数据库管理员堆栈交换](http://dba.stackexchange.com/)是一个更好的地方。另请参阅[我在哪里发布有关Dev Ops的问题?](http://meta.stackexchange.com/q/134306)。 – jww 2015-05-06 03:24:10

回答

3

https://bugs.mysql.com/bug.php?id=64870

在底部:

If you're using 'openssl req -newkey rsa:2048 ...' to generate keys, please be advised that openssl 1.0 and newer now stores private keys in the PKCS#8 format instead of PKCS#1.

Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. [Steve Henson]

These keys will have a PEM header such as:

-----BEGIN PRIVATE KEY-----

If MySQL is compiled with YaSSL as its SSL implementation (which I believe is the default), these keys won't load and MySQL will complain at startup: [Warning] Failed to setup SSL [Warning] SSL error: Unable to get private key

YaSSL expects RSA private keys in the PKCS#1 format, with the PEM header:

-----BEGIN RSA PRIVATE KEY-----

Various "advices" online seem to suggest that you can change the PEM header and footer of those PKCS#8 private keys to get them to work with MySQL/yaSSL. That will indeed stop MySQL from complaining at startup, but unfortunately SSL connections against MySQL will still fail with something like:

**ERROR 2026 (HY000): SSL connection error: protocol version mismatch**

To fix this, convert the key to the older PKCS#1 RSAPrivateKey format using 'openssl rsa'. $ openssl rsa -in key-from-openssl-1.pem -out pkcs1-yassl-compatible-key.pem

来源

2015-05-05 23:37:17 Alex

相关问题

 相关问题