MySQL Connection over SSL

smcpeck posted 2 years ago in General
I am getting the following error when trying to connect over SSL to a MySQL server: SSL connection error: ASN: bad other signature confirmation

I can connect via the command line in Linux from the server and also from a remote machine.
I can connect in Windows (from the same machine where Heidi fails) via MySQL Workbench (the latest) using the exact same 3 PEM files.

This all leads me to believe that Heidi is doing something odd when trying to establish the connection.

Any thoughts?
ansgar posted 2 years ago
No clue. One poster in this thread left the CA certificate away to solve the error. You could try that.

Probably this thread is helpful for you.
e0steven posted 2 years ago
Those links are kinda helpful, however considering that literally anything except Heidi works points me in the direction that something in the SSL implementation in HeidiSQL doesn't play nice.

I've tried connecting using mysql command line on the machine and on a remote machine both work.

I've tried HeidiSQL inside the firewall and from outside the firewall it throws the same error. I've re-created the certs several times, no dice.

If it helps at all I'm running the latest version of CentOS, OpenSSL, and Percona Server though the 'standard' command line and workbench connect just fine.

e0steven posted 2 years ago
Yep, this is still an issue. Messing with the CA doesn't seem to do anything. I can only think it's a mismatch or mess up with the latest versions of OpenSSL and whatever implementation HeidiSQL uses. The error is still SSL connection error: ASN: bad other signature confirmation
it works perfectly fine using the built in mySQL Workbench (which is pretty crappy) or using the command line. Clearly a Heidi issue...shame since we had a green light to standardize to this from Navicat :/

ansgar posted 2 years ago
Related: Issue #2336.

Just diving into the code and former issues I had with Heidi/SSL.
e0steven posted 2 years ago
Alright I'm not sure this helps or not, but I went to one of our older servers and was able to pull the certificates (CA-Cert/CA-Key/Server-Cert/Server-Key/Client-Cert/Client-Key) and was able to put them on the new machine and Heidi connected. So I'm guessing it's the certs being generated by newer versions of OpenSSL. I haven't examined the differences between the two, but I was able to get it to work with those 'old' files.

ansgar posted 2 years ago
In that case it's most probably an issue with the version of libmysql.dll, which is located in the HeidiSQL folder. You can play with it, using a newer one than the one shipped with the installer.
jweeshgst posted 2 years ago
I can verify that a similar issue was resolved by swapping out the libmysql.dll provided by the installer. I did not verify whether there was an upstream issue against the version that ships with Heidi.
ajbattrick posted 1 year ago

I fixed this same problem also, by swapping libmysql.dll from MySQL Workbench 6.3, C:\Program Files\MySQL\MySQL Workbench 6.3 CE to the HeidiSQL install folder

rasmush posted 8 months ago

I can confirm that this problem still exists.

I "fixed" it, as mentioned above, by not providing the CA-cert, but only the two client-certs.

shinnra posted 3 months ago

I think this problem lies with libmysql.dll cause I have replaced that file from the MariaDB installation and MySQL Workbench and HeidiSQL connects to server with CA, Cert and Key files specified.

libmysql.dll from HeidiSQL (Compiled on: 2017-05-18 13:19:47)
MD5: 8ad4da6dd06f1dea86eff2129b2a2b38
SHA256: afdf4976351dd147419dbd3e00206b17a776714261f025d7542f4ae3c4497901
Result: Fails to connect with CA file specified
libmysql.dll from MariaDB 10.1
MD5: 227245c1d738984a543fe148de4b39b1
SHA256: c6c9728a8c43a2cd5a90444a13e0a548c28dc1f810ef76fb34a7cf13d0f2eb1a
Result: Connects without any errors
libmysql.dll from MySQL Workbench 6.3.8 build 1228 CE
MD5: 1777dd0ab994e771ffda0b96f747c84e
SHA256: 50bbf342e2c2a532069dad96589c2e3937ad9a56680f9e4a12d8b79ad843b08a
Result: Connects without any errors

IMHO best solution is to use more recent libmysql.dll file in HeidiSQL.

All hashes computed using Windows certutil.

gutto posted 3 months ago

Having the same problem.

uve posted 2 months ago

I have a new maria database. It is set to use TLSv1.2 (openSSL). Normally I use workbench, but it does not support TLSv1.2 - only TLSv1.1. Same for Navicat - but comes in the next version. I am a new user of HeidiSQL. It's super good, brilliant to move data between databases. But it also does not support TLSv1.2. Any plan for support TLSv1.2 - are there any schedules? Right now I'm back on TLSv1 - where everything works.

trgfree posted 2 months ago

rasmush was right

solved my problem

I "fixed" it, as mentioned above, by not providing the CA-cert, but only the two client-certs.

MiSAKACHi posted 2 months ago

Hi all,

For reference, a possible fix to this issue is to use an updated libmysql.dll.

If you are using MariaDB, consider using the bundled libmariadb.dll, rename it to libmysql.dll then copy over to the HeidiSQL installation directory.

The location of the said file would be on the installation directory of MariaDB if you choose to install the 'Development Components' during installation. (Windows)

MiSAKACHi posted 2 months ago

In addition to this, I also found out that certificates using the sha256 as the signing hash causes this problem to pop out. I tried generating certificates with a signing hash of sha1 and the problem does not show up.

gutto posted 2 months ago

I've used the newer version of libmysql.dll as well and it worked well, but I posted here so perhaps developers would consider using new libmysql version in future releases.

Not likely but don't wanna to run in some corner case where my database got suddenly deleted just because HeidiSQL hasn't been tested against that particular libmysql version I'm using. ;)

Please login to leave a reply, or register at first.