"SSL connection error" connecting to AWS Aurora over SSL

jblount posted 2 years ago in General

Last week, for no reason that I know of, HeidiSQL stopped being able to connect to my AWS RDS/Aurora server over SSL. I get "SSL connection error: unknown error number" when I try to connect. Prior to that, it worked perfectly, and I've been using Heidi to manage this server for several months now.

Nothing changed that I'm aware of - server configuration, Heidi configuration, OS, etc., all remained identical, though I suppose it's possible Windows updated something in the background that I don't know about. I just got into the office one morning and it refused to connect. MySQL Workbench, and connecting with the command line directly, using equivalent settings, all seem to work fine. And using Heidi to connect to the same server, but without SSL turned on, works fine as well (though is obviously not going to be usable longterm for security reasons).

I have the path to "rds-combined-ca-bundle.pem" under the "Session > Advanced > SSL CA certificate" option. When the error first started, I re-downloaded a clean copy of this file from Amazon, thinking maybe it had expired or something. This morning I did notice an updated nightly build so I tried updating to that just to see if it had fixed something, but no dice. I also tried creating a new instance of the site/session, and uninstalling/reinstalling Heidi (back to the stable version... this was after I tried the nightly), and nothing has helped so far. Still unable to connect.

Any help would be appreciated. Please let me know if you need any further information.

Thanks in advance.

Windows 10 x64 v1607 build 14393.447 HeidiSQL x64 v9.4.0.5125 AWS RDS/Aurora v1.8.1 (for whatever that's worth)

ansgar posted 2 years ago

Never saw that SSL error before. So what has been done for SSL connections in the past:

  • since r5123 from October 16, I am processing SSL parameters for starting heidisql.exe cia command line.
  • adding the SSL parameters to the "Launch command line" menu command (r5070 from April 16), which adds some --ssl* parameters to the mysql.exe command
  • in r5068 from April 16 I updated several PostgreSQL libraries, including ssleay32.dll
  • r4980 from July 15 introduced support for SSL cipher

Nothing related to your issue I'm afraid. So I highly guess we have a server modification, some update or configuration change.

jblount posted 2 years ago

Ansgar,

Thank you for the reply. I'll put in a support ticket to Amazon and see if they changed something or have any suggestions for fixing the connection.

schmanks posted 2 years ago

I seem to be having the same issue.

I have been using HeidiSQL to connect to our AWS RDS Aurora cluster for months, and at some point within the last week or two something appears to have changed. Zero config changes have been made that I'm aware of, but I am now no longer able to connect.

I also get "SSL connection error: unknown error number" from Heidi. However, one difference from jblount is that I get the same error via command prompt ("ERROR 2026 (HY000): SSL connection error: unknown error number").

I'd greatly appreciate any additional insight you may gain in troubleshooting this issue.

Thanks much

Windows 7 x64, HeidiSQL x64 v9.4.0.5125, AWS RDS Aurora 5.6.10a engine

schmanks posted 2 years ago

For what it's worth, I was able to fix the issue by downloading a newer version of libmysql.dll and dropping it in the HeidiSQL installation folder on top of the existing file (from v5.6.6 to v5.7.12).

Since jblount mentioned MySQL Workbench worked just fine, I decided to download and give it a try - it worked fine for me as well. So I just grabbed that dll from the Workbench install.

Hope that helps

jblount posted 2 years ago

Interesting. Have you noticed any unintended side effects from swapping out the dll? The version jump seems pretty big. If it fixed this one thing, I would be concerned that it does even more things differently than the application is expecting.

I swapped mine out as well (my version from Workbench was 5.6.24) and that did indeed fix the connection problem, seems like it's good for now.

Thanks.

schmanks posted 2 years ago

I have not seen any unintended side effects as of yet but would agree that was a large jump in versions. Perhaps I will try to find v5.6.24 as it's at least a minor revision and you've confirmed it works as well.

Thanks

jblount posted 2 years ago

FWIW, Amazon replied with the following:

Aurora has identified an SSL issue in version 1.8 that has since been fixed in 1.8.1. Your instance is still on 1.8 so I recommend following the procedure below to move to the newest version: Choosing a cluster in the RDS console cluster page, choosing "Cluster Actions", and then choosing "Upgrade Now"

When I do "select @@aurora_version;" from the instance, I'm already getting 1.8.1, so I'm not really sure what to do. It would appear I'm already on the latest version. I agree that I haven't seen any other weird behavior so far, so I guess I'll just run this updated DLL for now and hope that it's stable.

schmanks posted 2 years ago

Interesting.

We were getting the same version (1.8.1) prior to the weekend, when we performed an upgrade during our maintenance window. Now, "Select @@aurora_version" produces 1.9.1 for us, and with the original dll (v5.6.6), the SSL connection error still occurs in Heidi.

wouter van nifterick posted 1 year ago

FYI, I couldn't connect to mysql on Amazon either, and I've also fixed it by replacing libmysql.dll with a newer one.

alanapter posted 2 months ago

I also had this problem (with mysql on aws) and replaced the libmysql.dll and it started to work again.

miked posted 2 months ago

same "unknown error" problem connecting to an Amazon RDS instance that I've been using for years, I added the -v option to putty command to output info to see if it would show a hint about the problem. Turns out I'm connecting and getting the port forward - but something is going south after connecting:

image description

image description

image description

miked posted 2 months ago

edit to add to above: latest version, 9.5.0.5295 (64 bit)

a commenter above noted a diff lib.dll from workbench, have not tried but will now

miked posted 2 months ago

libmysql.dll v8.9.12.0 from the latest MySQL Workbench (https://dev.mysql.com/downloads/workbench/) replaced heidi version 5.6.6.0. I was able to connect but the connection again, but it still died so this didn't help. But I did get an updated error message

image description

miked posted 2 months ago

so I went back through a bunch of mysqlworkbench distro's looking for a libmysql.dll that worked with all of the 9.0.x revisions of HeidiSQL without luck - I've downloaded so many copies of workbench and Heidi over the last 24 hours...

So I came up with a diff solution using Putty to tunnel into RDS launched from the cmd line, and then open my connection to the RDS instance via the tunnel. I tunnel my access to RDS through my webserver to prevent direct outside acces to it, so the cmd line below reflects that:

putty -ssh <username>@<mywebserverIP> -i "<path to my ssh key\keyname.ppk>" -L 3313:<myRDSinstanceFQDN>:3306

this opens a cmd window for me, use -i only if you use a key file to auth on your server

-L is the magic: https://the.earth.li/~sgtatham/putty/0.70/htmldoc/Chapter3.html#using-general-opts , section 3.8.3.5

I'm forwarding traffic on 3306 on the remote RDS through my webserver and back onto my windows box on 3313.

You can use the -N switch which will prevent a cmd window from opening but will open the port. If this was a connection you worked off of constantly you could launch this on startup to make 3313 available at login automagically. I like to see the cmd window open to remind me that I still have access to the RDS for that clients instance. Interestingly, even if I close the cmd window the tunnel still stays active for awhile, certainly for as long as Heidi is connected through it.

now I can open a Heidi session to my server:

network: mysql tcp/ip host: localhost port: 3313 (from the first value in the -L param in cmd line above, chg port # to suit your use case) user: my sql login name pwd: my sql login pwd

I haven't been able to config putty directly with this config so far, but haven't put much time in on it. If I get a putty session config together I'll come back and post it.

Hope this helps someone else. cheers

Please login to leave a reply, or register at first.