EDIT: It looks like RedHat pushed a new build that fixes the issue ->
If all of your MYSQL SSL clients and replication just broke, I'm guessing that you're running RedHat, CentOS, or something derived from RedHat. In short, RH modified OpenSSL to reject Diffie Hellman (DH) keysizes less than 768 bits. Note that this is not the length of your private key. This is the DH key which is used in Perfect Forward Secrecy.
Someone please correct me if I'm wrong, but selecting which PFS ring (and hence keysize) to use is a function of the application making the SSL socket request. Therefore, you'll need an updated version of Percona or MySQL community to fix this with PFS ciphers.
One option is to use a secure, symmetric cipher in your configs. We went this route to keep things going. On CentOS 6, one of the best choices is Camellia 128. If you're doing command line work, add this to the argument list:
You should also be able to add that to your my.cnf and get things going that way, too.
The error thrown in MySQL is error 2026, which is a catch-all for all SSL errors. It throws that error for bad certs, bad permissions, bad anything....which makes things difficult to track down. That said, if things broke in the past few days (June 4th), it's probably the cipher problem. We tracked it down in the yum log (openssl-1.0.1e-30.el6.9.x86_64). Whenever something suddenly stops working, always check the yum log first. Thanks RedHat!
A NOLA native just trying to get by. I live in San Francisco and work as a digital plumber for the joint that runs this thing. (Square/Weebly) Thoughts are mine, not my company's.