After openssl is upgraded to openssl.x86_64 0:1.0.1e-30.el6.9
mysql connections to CloudSQL start to fail with the following error.
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
If I connect from another server that isn't yet upgraded and check for SSL cipher this is what I see.
[root@myhostname ~]# mysql -e "SHOW STATUS LIKE 'ssl_cipher'\G"
Variable_name: Ssl_cipher
Value: DHE-RSA-AES256-SHA
So if go back to the server with upgraded version if I check for the cipher I see the following (identical on both servers).
[root@myhostname ~]# openssl ciphers -v "AES" | grep DHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
I am not an expert with SSL ciphers and encryptions. So what am I missing that may be causing this issue? The only way to fix for now was to downgrade openssl & openssl-devel.
[root@myhostname ~]# yum downgrade openssl*
Running the following from working server and non-working server returns the same error. Where cert, key, ca files are the files used to connect to the CloudSQL instance.
openssl s_client -connect <ip>:3306 -tls1 -cert client-cert.pem -key client-key.pem -CAfile server-ca.pem | openssl x509 -text -noout
Returns the following error. But on both servers working and not working.
140582014740296:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
unable to load certificate
140388473263944:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE