MySQL 和 SSL 连接失败 ERROR 2026 (HY000)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20459056/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
MySQL and SSL connection failing ERROR 2026 (HY000)
提问by mvsjes2
I have a wildcard cert issued from rapidssl, using CN=*.mydomain.com. I have a web server and a mysql db server. The certs are working fine for web site access. Now I want to enable ssl for my app to mysql. I've enabled ssl in the mysql server without issue:
我有一个从 Rapidssl 颁发的通配符证书,使用 CN=*.mydomain.com。我有一个 web 服务器和一个 mysql db 服务器。证书对于网站访问工作正常。现在我想为我的应用程序启用 ssl 到 mysql。我在 mysql 服务器中启用了 ssl 没有问题:
+---------------+---------------------------------+
| Variable_name | Value |
+---------------+---------------------------------+
| have_openssl | YES |
| have_ssl | YES |
However, when I try to connect using the client/ssl, I get: ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
但是,当我尝试使用客户端/ssl 进行连接时,我得到:ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
This appears to be documented here: http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
这似乎记录在这里:http: //dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
It says I can't use the same CN for the certs. I don't understand how a wildcard cert can be used then. Does that mean I also have to purchase host specific certs just for the mysql connection?
它说我不能对证书使用相同的 CN。我不明白如何使用通配符证书。这是否意味着我还必须为 mysql 连接购买特定于主机的证书?
I don't work with SSL very much so I'm finding it difficult figuring out how this is supposed to be set up. Any pointers, even obvious ones, will likely help at this stage.
我不太使用 SSL,所以我发现很难弄清楚应该如何设置。任何指示,即使是明显的指示,都可能在此阶段有所帮助。
Running: mysql Ver 15.1 Distrib 5.5.32-MariaDB, for debian-linux-gnu (x86_64) using readline 5.1 ubuntu 12.04
运行:mysql Ver 15.1 Distrib 5.5.32-MariaDB,用于 debian-linux-gnu (x86_64) 使用 readline 5.1 ubuntu 12.04
回答by jvd10
Make sure to use an absolute pathto the ca-cert given for the --ssl-caoption.
确保使用为选项提供的 ca-cert的绝对路径--ssl-ca。
Relative paths, or shell expansions (like ~) won't work and will produce ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation.
相对路径或 shell 扩展(如~)将不起作用,并且会产生ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation.
This isn't documented anywhere that I can see in the mysqlman page, or in the SSL Command Options of the MySQL Manual (http://download.nust.na/pub6/mysql/doc/refman/5.1/en/ssl-options.html).
我在mysql手册页或 MySQL 手册的 SSL 命令选项 ( http://download.nust.na/pub6/mysql/doc/refman/5.1/en/ssl-选项.html)。
回答by GianNN
I have a similar issue, apparently from what i have read all the binary (precompiled) versions of MySQL Community Edition (maybe the same applies to MariaDB), comes bundled with yaSSL not openSSL existing some limitations and restrictions from that library. According to the manual of mysql (https://dev.mysql.com/doc/refman/5.6/en/secure-connection-options.html)
我有一个类似的问题,显然是从我阅读了 MySQL 社区版的所有二进制(预编译)版本(也许同样适用于 MariaDB)来看,它与 yaSSL 捆绑在一起,而不是 openSSL 存在来自该库的一些限制和限制。根据mysql的手册(https://dev.mysql.com/doc/refman/5.6/en/secure-connection-options.html)
" yaSSL does not look in any directory and does not follow a chained certificate tree.yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file and specify that file as the value of the --ssl-ca option".
" yaSSL 不查看任何目录,也不遵循链式证书树。yaSSL 要求 CA 证书树的所有组件都包含在单个 CA 证书树中,并且文件中的每个证书都具有唯一的 SubjectName 值。工作围绕此 yaSSL 限制,将包含证书树的各个证书文件连接到一个新文件中,并将该文件指定为 --ssl-ca 选项的值”。
If you want to check if your MySQL instalation uses yaSSL or openSSL you can follow the steps in this forum (http://mysqlblog.fivefarmers.com/2013/05/14/how-to-tell-whether-mysql-server-uses-yassl-or-openssl/). It tells to see the status variable ‘ Rsa_public_key' with ‘show status like ‘%rsa%' if your MySQL installation comes with yaSSL the results must be empty because no such variable exists in distributions with yaSSL.
如果您想检查您的 MySQL 安装是使用 yaSSL 还是 openSSL,您可以按照本论坛中的步骤操作 ( http://mysqlblog.fivefarmers.com/2013/05/14/how-to-tell-whether-mysql-server-使用-yassl-或-openssl/)。如果您的 MySQL 安装附带 yaSSL,它会告诉您查看状态变量 'Rsa_public_key' 和 'show status like '%rsa%',结果必须为空,因为使用 yaSSL 的发行版中不存在此类变量。
Other possible cause is that the hostname on your server doesn't match with the subject of the server certificate (argument of the --ssl-cert parameter) for that compare the output of the command
其他可能的原因是您服务器上的主机名与服务器证书的主题(--ssl-cert 参数的参数)不匹配,以便比较命令的输出
shell> hostname
shell> hostname
with the DNS subject in the server certificate, you could get it using the next command (look the part where it says "X509v3 Subject Alternative Name:"):
使用服务器证书中的 DNS 主题,您可以使用下一个命令获取它(查看显示“X509v3 主题备用名称:”的部分):
shell> openssl x509 -in "your-server-certificate" -noout -text
shell> openssl x509 -in "your-server-certificate" -noout -text
If none of this work you could see the next page http://milcom.us/2012/11/02/encrypted-mysql-connections/
如果这些都不起作用,您可以看到下一页http://milcom.us/2012/11/02/encrypted-mysql-connections/
PS: English is not my native language, sorry for any grammatical error
PS:英语不是我的母语,如有语法错误请见谅
回答by angelcool.net
I was having the following error:
我遇到了以下错误:
[root@example ~]$ mysql
ERROR 2026 (HY000): SSL connection error
FIX that worked for me: Server and client "Common Name" in certificates must be different than CA's. After changing the CNs the error stopped; I verified the connection status:
对我有用的修复:证书中的服务器和客户端“通用名称”必须与 CA 的. 更改 CN 后,错误停止;我验证了连接状态:
mysql> status;
...
SSL: Cipher in use is DHE-RSA-AES256-SHA
...
Source:
来源:
"Important Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL."
“重要无论您使用何种方法生成证书和密钥文件,用于服务器和客户端证书/密钥的通用名称值都必须与用于 CA 证书的通用名称值不同。否则,证书和密钥文件将不会适用于使用 OpenSSL 编译的服务器。”
http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html
http://dev.mysql.com/doc/refman/5.0/en/creating-ssl-certs.html
PS: I'm not using wildcard certificates and/or a third party CA, I'm creating my own signed certificates, which works OK for me: http://angelcool.net/sphpblog/comments.php?y=14&m=05&entry=entry140511-164525
PS:我没有使用通配符证书和/或第三方 CA,我正在创建自己的签名证书,这对我来说工作正常:http: //angelcool.net/sphpblog/comments.php?y=14&m= 05&entry=entry140511-164525
回答by Cameron Kerr
MySQL doesn't work with wildcard certificates. There are a number of difficiencies with MySQL and SSL.
MySQL 不适用于通配符证书。MySQL 和 SSL 有许多不同之处。
See my post on Getting MySQL server to run with SSL(and also the post that I refer to therein).
请参阅我关于让 MySQL 服务器与 SSL 一起运行的帖子(以及我在其中引用的帖子)。
回答by toontong
I connect from CentOS-7 version ojf 5.6.29-76.2-log Percona Server and Client to CentOS-6 (Server version: 5.6.23-72.1-log Source distribution Percona), also get this issue.
我从 CentOS-7 版本 ojf 5.6.29-76.2-log Percona 服务器和客户端连接到 CentOS-6(服务器版本:5.6.23-72.1-log 源分发 Percona),也出现此问题。
Add the option will fix it:
添加选项将修复它:
--ssl-cipher=AES128-SHA
--ssl-cipher=AES128-SHA
maybe anther ssl-cipher will also fixed.
也许花药 ssl-cipher 也会修复。
