Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unknown SSL error - MariaDB #519

Open
mochour opened this issue Jan 29, 2019 · 21 comments

Comments

Projects
None yet
4 participants
@mochour
Copy link

commented Jan 29, 2019

Steps to reproduce this issue

  1. Open HeidiSQL;
  2. Configure and Select a SSL connection to MariaDB server;
  3. Open the connection;
  4. I get message "Unknown SSL error 0x80090308

Current behavior

The behavior is different on two PCs. On a desktop I can connect, on a laptop the error occurs.
Both PCs have basically same configuration (upgrades, tools installed).

Originally I had this issue, but it was solved by HeidiSQL 10.0.0.5460. Now I am able to connect to the DB via SSL.
After fresh installation of the same version to the laptop the connection fails.
The problem on the desktop was solved after reinstalling 10.0.0.5460

I can always connect from Ubuntu via mysql client.

Expected behavior

Possible solution

There is an open ticket related to TLS handshake problem.

Environment

  • HeidiSQL - 10.0.0.5460
  • MariaDB - 10.1.37
  • Windows 7 Pro
@mochour

This comment has been minimized.

Copy link
Author

commented Jan 29, 2019

If you open a connection from command line with --sslcipher=DHE-RSA-AES256-SHA (which is used for my linux connection). I get same error as in issue

@jacFerron

This comment has been minimized.

Copy link

commented Jan 30, 2019

the same problem resolved by modify windows register (windows 7) :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

like explain in this link ( see the ticket above Possible Solution -> ticket )
Transport Layer Security (TLS) Handshake Failing

@mochour

This comment has been minimized.

Copy link
Author

commented Jan 30, 2019

Thanks for your suggestion, but this is not probably solution of the problem :-(.

The registry keys are same on the both PCs.

@jacFerron

This comment has been minimized.

Copy link

commented Jan 31, 2019

I have just moved at top of register this lines :
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Then its work fine.

@mochour

This comment has been minimized.

Copy link
Author

commented Feb 1, 2019

This doesn't help. Same error.

@mochour

This comment has been minimized.

Copy link
Author

commented Feb 12, 2019

Only diference that I can see between workstation and laptop, is that the connections to Mariadb at the laptop are marked by MySQL icon in the session manager. I am able to connect from the laptop to Azure db via SSL.
session_manager

@mochour

This comment has been minimized.

Copy link
Author

commented Feb 22, 2019

The problem is in the self-signed certificate and CA deployment on the client.

I see that after
Server Key Exchange , Certificate Request, Server Hello Done
follows
[RST, ACK] client response. I do not know what is the problem in HeidiSQL, but it is clearly connected with trust store of the self-signed certificates.

I have to say, that I am quite disappointed by the level of support. The issue is not even investigated by anyone more than 3 weeks :-(.

Great customer support ...

Thanks to @jacFerron for some hints ....

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Feb 23, 2019

Be sure I am reading your comments here. Though HeidiSQL is not commercial, and so you cannot expect such support as in commercial products probably.

I also have no clue about the cause here. Apart from downgrading HeidiSQL to 9.5 I cannot tell you anything yet. The comments are also confusing, as the first post tells me it happened on 10.0, while the current version is 10.1. Also, do I understand right that one pc is running the SSL connection fine and the other one not?

@mochour

This comment has been minimized.

Copy link
Author

commented Feb 23, 2019

Hi,

I do not expect same support as for a commercial product, but at least when you don't know just say it, No problem at all.

Version is not important I've tried 10.0.X up and also 10.1 current. Same problem.

I keep the version same for reference purposes.

Yes, I have two PCs with almost same environment (W7 Pro, 64-bit, upgraded, HeidiSQL 10.0.0.5460, installed self-signed certificates etc.).

I can connect from one and not from the other.
I can connect via mysql (Cygwin) from both and from any linux server.
I can connect from all to MS Azure MariaDB instance via SSL even with HeidiSQL.

This leads me to the conclusion that there is a problem with handling and trust to self-signed CA certificates.

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Feb 24, 2019

Ok, you habe 10.0 installed, and use MariaDB with the shipped libmariadb.dll, which is then from Connector v3.0.8 / Server 10.3.6. Perhaps we find an issue wrt self signed certificates with this particular version.

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Feb 24, 2019

Found this, which might be irrelevant, because it's for the Java Connector:
https://mariadb.com/kb/en/library/using-tls-ssl-with-mariadb-java-connector/#handling-self-signed-certificates
Apart from that there seems to be not much helpful at least on Google.

@mochour

This comment has been minimized.

Copy link
Author

commented Feb 26, 2019

It is not the case. I see from wireshark log that I receive both CA and server cert to the client.

Do you use an external library for handling SSL?
Is the connection provided by libmariadb.dll?
I see that content of the C:\Program Files\HeidiSQL is different on the PCs. Should it be problem?

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Feb 27, 2019

Yes, connecting is done by mysql_real_connect in libmariadb.dll, if it exists. If not, Heidi tries to load an older libmysql.dll from the same folder. You can delete libmariadb.dll for testing purposes and try if that connects then.

@mochour

This comment has been minimized.

Copy link
Author

commented Feb 27, 2019

Where can I find the project for libmariadb?

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Feb 28, 2019

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jun 2, 2019

Related

In my recent commit 51da7c8 I am now setting MARIADB_OPT_TLS_VERSION to 'TLSv1,TLSv1.1,TLSv1.2,TLSv1.3' via mysql_options. Now at least the forum poster can again connect to his MySQL 8.0 server, but no longer to a v5.7 server.

@mochour did you accidentally close this or is it fixed for you on MariaDB 10.1 ? Does it als run on MySQL 5.7 (or older) for you?

@mochour

This comment has been minimized.

Copy link
Author

commented Jun 4, 2019

The problem was not in HeidiSQL but in the connector provided by MariaDB (see here).
Because I had to upgrade from Win7 to Win10 on my laptop the problem was not reproducible anymore. I suggested to close the issue.

The problem is somehow living on MariaDB forum (see here).

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jun 4, 2019

As I still can reproduce that on Win10, connecting with SSL to a MySQL v5.7 server, I am reopening this issue. The forum thread also has some useful details.

@ansgarbecker ansgarbecker reopened this Jun 4, 2019

@ansgarbecker ansgarbecker added this to the v10.3 milestone Jun 4, 2019

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jun 4, 2019

Two ideas for workarounds:

  • provide a user option to select the used library (old libmysql.dll or newer libmariadb.dll) => #677
  • provide a user option to disable the currently hardcoded MARIADB_OPT_TLS_VERSION value
@rentalhost

This comment has been minimized.

Copy link
Collaborator

commented Jun 4, 2019

It could not be loaded together and decided based on MySQL version? Or do it for MARIADB_OPT_TLS_VERSION?

@ansgarbecker

This comment has been minimized.

Copy link
Collaborator

commented Jun 5, 2019

Loaded together? No, these both dlls are already there, but the newer one is preferred. The older one is currently just used as a fallback, when the other one was not installed, for some reason. But it seems the older one now does not throw this "Unknown SSL error" on older servers, while it does on MySQL 8 for example, where the newer one succeeds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.