Just a small update, MDEV-13492 updated with the mentioned details.

Kenneth

On Sat, Oct 26, 2019 at 2:45 PM Kenneth Penza <kpenza@gmail.com> wrote:
Hi Vladislav,

Thanks for the feedback. I will update  MDEV-13492 (https://jira.mariadb.org/browse/MDEV-13492) with the setup details, certificate generation and network traces.

Kenneth



On Fri, Oct 25, 2019 at 7:00 PM Vladislav Vaintroub <vvaintroub@gmail.com> wrote:

Hi Kenneth,

 

There have been some reports about this symptoms, but nothing that we would be able to reproduce on any of our machines.

So far I think the SSL handshake error that was seen was either intermittent “Unknown SSL error (0x80090308)”, say one in couple of hundred attempts. for which a workaround  is planned (https://jira.mariadb.org/browse/CONC-417 and several others) . The occasional handshake error seems to be schannels own bug, which we could reproduce on some machines, and  IIRC could workaround by  disabling some ciphers by fiddling in Schannel’s registry.

 

The second one that I heard of, was a complaint by a user, that his self-issued certificate works, and company-issued certificate does not, failing always with Unknown SSL error (0x80090308) . Unfortunately that user did not provide any detail on what he was seeing apart from this cryptic description.

 

The most reasonable thing you could do to help us to help you, is to use that existing bug in JIRA to provide as much information as possible about your case, I.e whether or notm the bug is sporadic, whether you’re trying to force a specific cipher, details of certificate you’re using on server side, and a network trace that you can collect e.g  with wireshark, or tcpdump on either server or on client side.

 

Now why the MySQL client does not fail, it is using the same SSL implementation (openssl) on the both client and server side.

 

From: Kenneth Penza
Sent: Friday, 25 October 2019 11:07
To: Mailing-List mariadb
Subject: [Maria-discuss] SSL issue with Windows MariaDB client

 

Good morning,

 

Whilst testing SSL of a MariaDB server version 10.4.8 running Linux from a Windows 10 machine I noted that connection using MySQL client (mysql-8.0.18-winx64) connects successfully, however connections with MariaDB client (mariadb-10.4.8-winx64) fails.

 

 

 

C:\temp\mariadb-10.4.8-winx64>mysql --user=penzk001 --password --host=<hostname> --port=3306 --tls-version=TLSv1.2 --ssl-ca=c:\temp\CACert.pem

Enter password: ********
ERROR 2026 (HY000): Unknown SSL error (0x80090308)

C:\temp\mariadb-10.4.8-winx64\bin> cd ..\mysql-8.0.18-winx64\bin

C:\temp\mysql-8.0.18-winx64\bin>  mysql --user=penzk001 --password --host=<hostname> --port=3306 --tls-version=TLSv1.2 --ssl-ca=c:\temp\CACert.pem 

Welcome to the MySQL monitor.  Commands end with ; or \g.

...

mysql>\s

...

SSL:                    Cipher in use is DHE-RSA-AES128-GCM-SHA256

...

mysql>  

 

To ensure that the SSL certificate is valid I also tried "--ssl-mode=VERIFY_IDENTITY" with the mysql-8.0.18 client and it worked fine.

 

Regards

Kenneth