Did google change/update related to vm ssl connections to Cloud SQL?

26 views Asked by At

Google Cloud SQL down?

At 1am ET my VM connection to Cloud SQL over SSL decided to stop connecting and will not allow a connection.

Did google make changes/updates?

Has been working fine for months, no changes, then all of a sudden this morning at 1am ET BAM! Won't connect to ....

Getting: Warning: mysqli_real_connect(): (HY000/2026): SSL connection error .....

SSL is not expired.

Can someone help me understand if Google made a change or if an instance can just decide on its own to changes its settings in the middle of the night?

1

There are 1 answers

0
StackitUp On BEST ANSWER

Solution to openssl auto update to 11 that breaks the ssl connection to cloudssl.

The following command shows the openssl updates and version change that affected the gce CentOS 6.6 vm >> cloudsql ssl connection (8 works, 11 won't connect):

grep -i openssl /var/log/yum.log

Apr 02 03:34:00 Updated: openssl-1.0.1e-30.el6.8.x86_64

Apr 02 03:34:00 Updated: openssl-1.0.1e-30.el6.8.i686

Jun 05 04:01:01 Updated: openssl-1.0.1e-30.el6.9.x86_64

Jun 05 04:01:02 Updated: openssl-1.0.1e-30.el6.9.i686

Jun 16 04:32:47 Updated: openssl-1.0.1e-30.el6.11.x86_64

Jun 16 04:32:48 Updated: openssl-1.0.1e-30.el6.11.i686


The following steps will allow for a downgrade:

(only need to remove an openssl if you have more than one installed - as the example above shows. Otherwise you'll only need to downgrade the 11 version your machine shows).

yum remove openssl-1.0.1e-30.el6.11.i686

yum downgrade openssl-1.0.1e-30.el6.8.x86_64

apachectl restart


This issue would have happened to any MySQL instance being connected to via OpenSSL.

The bug was that OpenSSL updated to use keys greater than 512 while MySQL did not update to use them.

Since the yum cron will get the new version again on its next round, openssl updates would need to be turned off until CloudSQL updates to a stable version that will allow keys greater than 512.