mysql ssl连接错误_MySQL 5.1.66 SSL连接错误ERROR 2026(HY000)

UPDATE2

使用WireShark我发现问题字符串(我希望我这样做)：

28 | 9.582638 | 192.168.18.128 | 192.168.18.129 | MySQL Response Error 1043

错误是(根据docs)：

Error: 1043 SQLSTATE: 08S01 (ER_HANDSHAKE_ERROR)

Message: Bad handshake

以下是两种情况下WireShark的屏幕截图：

从Windows 8连接(成功)：

从CentOS连接(失败)：

为什么会这样？

UPDATE

一个有趣的通知：

我已经使用Windows 8(192.168.18.1)通过修改Master for 192.168.18.1主机上的ssluser设置成功连接Master DB – 进行了更改：从REQUIRE SSL到REQUIRE X509.但是,在我们使用slave-to-master连接的情况下,这不起作用.

我在CentOS-6.3中遇到过SSL复制问题.我使用OpenSSL创建客户端和服务器证书,客户端和服务器证书都由同一个CA签名.

Server IP: 192.168.18.128

Slave IP: 192.168.18.129

MySQL version 5.1.66 SSL

服务器的my.cnf文件：

[mysqld]

ssl-key=/etc/mysql/certs/server-key.pem

ssl-cert=/etc/mysql/certs/server-cert.pem

ssl-ca=/etc/mysql/certs/ca-cert.pem

客户的my.cnf文件：

[client]

ssl-ca=/etc/mysql/ssl/ca-cert.pem

ssl-key=/etc/mysql/ssl/client-key.pem

ssl-cert=/etc/mysql/ssl/client-cert.pem

在Master上我使用SSL设置了奴隶用户,如下所示：

CREATE USER 'ssluser'@'192.168.18.129' IDENTIFIED BY 'sslpass';

GRANT REPLICATION SLAVE ON *.* TO 'ssluser'@'192.168.18.129' REQUIRE SSL;

要更新Slave我使用以下命令(根据show master status命令)：

SLAVE STOP;

CHANGE MASTER TO \

MASTER_HOST='192.168.18.128', \

MASTER_USER='sslreplicant', \

MASTER_PASSWORD='db.sslreplicantprimary', \

MASTER_LOG_FILE='mysql-bin.000026', \

MASTER_LOG_POS=106, \

MASTER_SSL=1, \

MASTER_SSL_CA='/etc/mysql/certs/ca-cert.pem', \

MASTER_SSL_CAPATH='/etc/mysql/certs/', \

MASTER_SSL_CERT='/etc/mysql/certs/client-cert.pem',\

MASTER_SSL_KEY='/etc/mysql/certs/client-key.pem';

SLAVE START;

复制本身工作正常：

mysql> SHOW VARIABLES LIKE '%ssl%';

have_openssl = YES

have_ssl = YES

ssl_ca = /etc/mysql/certs/ca-cert.pem

ssl_capath =

ssl_cert = /etc/mysql/certs/server-cert.pem

ssl_cipher =

ssl_key = /etc/mysql/certs/server-key.pem

这是 – 在Master和Slave上.

但是当我手动检查从Slave到Master的连接时,我收到错误.

以下是我到目前为止尝试的选项(每个人的结果相同)：

[gahcep@localhost ~]$mysql -u ssluser -h 192.168.18.128 -p

[gahcep@localhost ~]$mysql --ssl --ssl-ca=/etc/mysql/certs/ca-cert.pem \

-u ssluser -h 192.168.18.128 -p

[gahcep@localhost ~]$mysql --ssl-ca=/etc/mysql/certs/ca-cert.pem \

--ssl-cert=/etc/mysql/certs/client-cert.pem \

--ssl-key=/etc/mysql/certs/client-key.pem \

-u ssluser -h 192.168.18.128 -p

Enter password:

ERROR 2026 (HY000): SSL connection error

重现步骤：

>设置/创建由相同ca签名的客户端和服务器证书.

>在此线程中提到的客户端和服务器上设置my.cnf文件

>在master上为slave创建ssluser

> mysql -u ssluser -h 192.168.18.128 -p

请注意,我确实为所有证书使用了不同的通用名称：CA,clien和server.

附加信息

验证结果：

[gahcep@localhost ~]$sudo openssl verify -purpose sslclient \

-CAfile /etc/mysql/certs/ca-cert.pem /etc/mysql/certs/client-cert.pem

/etc/mysql/certs/client-cert.pem: OK

[gahcep@localhost ~]$sudo openssl verify -purpose sslserver \

-CAfile /etc/mysql/certs/ca-cert.pem /etc/mysql/certs/server-cert.pem

/etc/mysql/certs/server-cert.pem: OK

证书信息：

CA：

[gahcep@localhost ~]$sudo openssl x509 -noout -subject -issuer -dates \

-serial -hash -fingerprint -in /etc/mysql/certs/ca-cert.pem

subject= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec

issuer= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec

notBefore=Jan 4 06:27:46 2013 GMT

notAfter=Nov 13 06:27:46 2022 GMT

serial=B45D177E85F99578

c2c5b88b

SHA1 Fingerprint=5B:07:AA:39:28:24:CE:1A:CF:35:FA:14:36:23:65:8F:84:61:B0:1C

客户证书：

[gahcep@localhost ~]$sudo openssl x509 -noout -subject -issuer -dates \

-serial -hash -fingerprint -in /etc/mysql/certs/client-cert.pem

subject= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=Secondary

issuer= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec

notBefore=Jan 4 06:29:07 2013 GMT

notAfter=Nov 13 06:29:07 2022 GMT

serial=01

6df9551f

SHA1 Fingerprint=F5:9F:4A:14:E8:96:26:BC:71:79:43:5E:18:BA:B2:24:BE:76:17:52

服务器证书：

[gahcep@localhost ~]$sudo openssl x509 -noout -subject -issuer -dates \

-serial -hash -fingerprint -in /etc/mysql/certs/server-cert.pem

subject= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=Primary

issuer= /C=RU/L=Vladivostok/O=Default Company Ltd/CN=PriSec

notBefore=Jan 4 06:28:25 2013 GMT

notAfter=Nov 13 06:28:25 2022 GMT

serial=01

64626d57

SHA1 Fingerprint=39:9E:7A:9E:60:9A:58:68:81:2F:90:A5:9B:BF:E8:26:C5:9D:3C:AB

目录Permissions：

在师父：

[gahcep@localhost ~]$ls -la /etc/mysql/certs/

drwx------. 3 mysql mysql 4096 Jan 3 23:49 .

drwx------. 3 mysql mysql 4096 Jan 3 07:34 ..

-rw-rw-r--. 1 gahcep gahcep 1261 Jan 3 22:27 ca-cert.pem

-rw-rw-r--. 1 gahcep gahcep 1675 Jan 3 22:27 ca-key.pem

-rw-rw-r--. 1 gahcep gahcep 1135 Jan 3 22:28 server-cert.pem

-rw-rw-r--. 1 gahcep gahcep 1679 Jan 3 22:28 server-key.pem

-rw-rw-r--. 1 gahcep gahcep 976 Jan 3 22:28 server-req.pem

在奴隶：

[gahcep@localhost ~]$ls -la /etc/mysql/certs/

drwx------. 3 mysql mysql 4096 Jan 3 22:57 .

drwx------. 3 mysql mysql 4096 Jan 3 07:50 ..

-rw-r--r--. 1 root root 1261 Jan 3 22:56 ca-cert.pem

-rw-r--r--. 1 root root 1139 Jan 3 22:57 client-cert.pem

-rw-r--r--. 1 root root 1675 Jan 3 22:57 client-key.pem

如果有人可以提出解决方案,我真的很感激！