Unknown SSL error - MariaDB

[mochour]

Steps to reproduce this issue

1. Open HeidiSQL;
2. Configure and Select a SSL connection to MariaDB server;
3. Open the connection;
4. I get message "Unknown SSL error 0x80090308

Current behavior

The behavior is different on two PCs. On a desktop I can connect, on a laptop the error occurs.
Both PCs have basically same configuration (upgrades, tools installed).

Originally I had this issue, but it was solved by HeidiSQL 10.0.0.5460. Now I am able to connect to the DB via SSL.
After fresh installation of the same version to the laptop the connection fails.
The problem on the desktop was solved after reinstalling 10.0.0.5460

I can always connect from Ubuntu via mysql client.

Expected behavior

Possible solution

There is an open ticket related to TLS handshake problem.

Environment

• HeidiSQL - 10.0.0.5460
• MariaDB - 10.1.37
• Windows 7 Pro

[mochour]

If you open a connection from command line with --sslcipher=DHE-RSA-AES256-SHA (which is used for my linux connection). I get same error as in issue

[jacFerron]

the same problem resolved by modify windows register (windows 7) :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

like explain in this link ( see the ticket above Possible Solution -> ticket )
Transport Layer Security (TLS) Handshake Failing

[mochour]

Thanks for your suggestion, but this is not probably solution of the problem :-(.

The registry keys are same on the both PCs.

[jacFerron]

I have just moved at top of register this lines :
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Then its work fine.

[mochour]

This doesn't help. Same error.

[mochour]

Only diference that I can see between workstation and laptop, is that the connections to Mariadb at the laptop are marked by MySQL icon in the session manager. I am able to connect from the laptop to Azure db via SSL.

[mochour]

The problem is in the self-signed certificate and CA deployment on the client.

I see that after
Server Key Exchange , Certificate Request, Server Hello Done
follows
[RST, ACK] client response. I do not know what is the problem in HeidiSQL, but it is clearly connected with trust store of the self-signed certificates.

I have to say, that I am quite disappointed by the level of support. The issue is not even investigated by anyone more than 3 weeks :-(.

Great customer support ...

Thanks to @jacFerron for some hints ....

[ansgarbecker]

Be sure I am reading your comments here. Though HeidiSQL is not commercial, and so you cannot expect such support as in commercial products probably.

I also have no clue about the cause here. Apart from downgrading HeidiSQL to 9.5 I cannot tell you anything yet. The comments are also confusing, as the first post tells me it happened on 10.0, while the current version is 10.1. Also, do I understand right that one pc is running the SSL connection fine and the other one not?

[mochour]

Hi,

I do not expect same support as for a commercial product, but at least when you don't know just say it, No problem at all.

Version is not important I've tried 10.0.X up and also 10.1 current. Same problem.

I keep the version same for reference purposes.

Yes, I have two PCs with almost same environment (W7 Pro, 64-bit, upgraded, HeidiSQL 10.0.0.5460, installed self-signed certificates etc.).

I can connect from one and not from the other.
I can connect via mysql (Cygwin) from both and from any linux server.
I can connect from all to MS Azure MariaDB instance via SSL even with HeidiSQL.

This leads me to the conclusion that there is a problem with handling and trust to self-signed CA certificates.

[ansgarbecker]

Ok, you habe 10.0 installed, and use MariaDB with the shipped libmariadb.dll, which is then from Connector v3.0.8 / Server 10.3.6. Perhaps we find an issue wrt self signed certificates with this particular version.

[ansgarbecker]

Found this, which might be irrelevant, because it's for the Java Connector:
https://mariadb.com/kb/en/library/using-tls-ssl-with-mariadb-java-connector/#handling-self-signed-certificates
Apart from that there seems to be not much helpful at least on Google.

[mochour]

It is not the case. I see from wireshark log that I receive both CA and server cert to the client.

Do you use an external library for handling SSL?
Is the connection provided by libmariadb.dll?
I see that content of the C:\Program Files\HeidiSQL is different on the PCs. Should it be problem?

[ansgarbecker]

Yes, connecting is done by mysql_real_connect in libmariadb.dll, if it exists. If not, Heidi tries to load an older libmysql.dll from the same folder. You can delete libmariadb.dll for testing purposes and try if that connects then.

[mochour]

Where can I find the project for libmariadb?

[ansgarbecker]

https://downloads.mariadb.com/Connectors/c/

[ansgarbecker]

Related

• forum post: https://www.heidisql.com/forum.php?t=27158
• issue in MariaDB: https://jira.mariadb.org/browse/MDEV-13492

In my recent commit 51da7c8 I am now setting MARIADB_OPT_TLS_VERSION to 'TLSv1,TLSv1.1,TLSv1.2,TLSv1.3' via mysql_options. Now at least the forum poster can again connect to his MySQL 8.0 server, but no longer to a v5.7 server.

@mochour did you accidentally close this or is it fixed for you on MariaDB 10.1 ? Does it als run on MySQL 5.7 (or older) for you?

[mochour]

The problem was not in HeidiSQL but in the connector provided by MariaDB (see here).
Because I had to upgrade from Win7 to Win10 on my laptop the problem was not reproducible anymore. I suggested to close the issue.

The problem is somehow living on MariaDB forum (see here).

[ansgarbecker]

As I still can reproduce that on Win10, connecting with SSL to a MySQL v5.7 server, I am reopening this issue. The forum thread also has some useful details.

[ansgarbecker]

Two ideas for workarounds:

• provide a user option to select the used library (old libmysql.dll or newer libmariadb.dll) => Separate MySQL from MariaDB connection types #677
• provide a user option to disable the currently hardcoded MARIADB_OPT_TLS_VERSION value

[rentalhost]

It could not be loaded together and decided based on MySQL version? Or do it for MARIADB_OPT_TLS_VERSION?

[ansgarbecker]

Loaded together? No, these both dlls are already there, but the newer one is preferred. The older one is currently just used as a fallback, when the other one was not installed, for some reason. But it seems the older one now does not throw this "Unknown SSL error" on older servers, while it does on MySQL 8 for example, where the newer one succeeds.

[ansgarbecker]

My advertised "Library" dropdown is in the latest builds, with an additional libmysql-6.1.dll for servers which won't work with one of the other libmysql.dll or libmariadb.dll:

Please install the newer builds if you still see this issue, and test out the 3 libraries. Please use the installer from the download build section, not just the heidisql.exe file!

[Saibamen]

@ansgarbecker: Installing HSQL from latest build installer (upgrading from HSQL not worked), and selecting libmysql-6.1.dll solved my Certificate signature check failed problem . Thanks :)

[ansgarbecker]

Thank for your feedback @Saibamen !

[Saibamen]

@ansgarbecker: Don't close this issue.
I have MySQL, not MariaDB.

@mochour Please retest

[ansgarbecker]

Ok, I'll wait for @mochour then.

[mochour]

Because I had to upgrade from Win7 to Win10, the problem is not reproducible anymore. I suggested to close the issue.

I can connect to MariaDB via SSL with latest HSQL 10.2.0 withouth any problem.

[ansgarbecker]

Ok, just shout if this seems again broken at some point.

[kpenza]

@ansgarbecker: I tried the test case defined in MDEV-13492 on Windows 10 Build 1809 and HeidiSQL 10.3.0.5771 with no success.

These are the error messages with the different libraries:

• libmariadb.dll - Unknown SSL error (0x80090308)
• libmysql-6.1.dll - Unknown SSL error: unknown error number
• libmysql.dll - Unknown SSL error: unknown error number

The connection succeeds using command line:

C:\temp\mariadb-10.4.11-winx64\bin>mysql -V
mysql  Ver 15.1 Distrib 10.4.11-MariaDB, for Win64 (AMD64), source revision 7c2c420b70b19cc02b5281127205e876f3919dad

C:\temp\mariadb-10.4.11-winx64\bin>mysql --user=penzk001 --password --host=srv01.dbservers.internal.local --port=3306 --ssl-ca=c:\temp\ca-chain.cert.pem
Enter password: ********
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 20
Server version: 10.3.14-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \s
...
SSL:                    Cipher in use is DHE-RSA-AES256-GCM-SHA384
...
MariaDB [(none)]>

[Saibamen]

@kpenza: Did you install latest nightly Heidi by updating existing installation, or installing latest nightly version by nightly installer from here: https://www.heidisql.com/download.php#nightlybuilds ?

[kpenza]

@Saibamen I have installed the latest nightly build (10.3.0.5861) using the installer and got the same errors:

These are the error messages with the different libraries:

libmariadb.dll - Unknown SSL error (0x80090308)
libmysql-6.1.dll - Unknown SSL error: unknown error number
libmysql.dll - Unknown SSL error: unknown error number

The issue is fixed in the latest version of the MariaDB Connector/C library. I have upgraded the MariaDB Connector/C from 3.1.4 to 3.1.7 available from Connectors/c/connector-c-3.1.7/ and the SSL connection now works fine.

[ansgarbecker]

Ok I'll pull an update of that lib.

[ansgarbecker]

Next built installer has libmariadb.dll v3.1.7, hopefully fixing some issues here.

[fobrs]

Hi I get this same error with connector-c-3.1.12 and connector-c-3.1.15. Could there be a regression?