Unable to connect via TLS

[RonNabuurs]

Im running a MySQL server with a CA. I want to connect to this server with server verification.

This is my setup. It's an edited variant of the bench TLS script.

{-# LANGUAGE OverloadedStrings   #-}
{-# LANGUAGE ScopedTypeVariables #-}

module Main where

import           Control.Concurrent.Async
import           Control.Monad
import           Database.MySQL.Base  hiding (connect, connectDetail)
import           Database.MySQL.TLS
import           System.Environment
import           System.IO.Streams        (fold)
import  qualified Data.ByteString as B

main :: IO ()
main = do
    args <- getArgs
    case args of [threadNum] -> go (read threadNum)
                 _ -> putStrLn "No thread number provided."

go :: Int -> IO ()
go n = do
    cparams <- makeClientParams (CustomCAStore "/path/to/server-ca.pem")

    void . flip mapConcurrently [1..n] $ \ _ -> do
        c <- connect defaultConnectInfo { ciUser = "dev-ssl"
                                        , ciDatabase = "testdb"
                                        , ciPassword = "dev-ssl"
                                        , ciHost = "database.dev"
                                        , ciPort = 3306
                                        }
                     (cparams, "database.dev")

        (fs, is) <- query_ c "SELECT * FROM test"
        (rowCount :: Int) <- fold (\s _ -> s+1) 0 is
        putStr "field name: "
        forM_ fs $ \ f -> B.putStr (columnName f) >> B.putStr ", "
        putStr "\n"
        putStr "numbers of rows: "
        print rowCount

I compile this script with ghc -o test MySQLHaskellTLS.hs
And then run ./test 1

The certificate is valid and signed by the CA. Also the CN and SAN is correct.

The error I get is
test: Short read, expected 4 bytes

I've ran Wireshark and it looks like the TLS handshake works as expected, but when I run the first query the above error pops up. If I look into the package send over the network it seems like the ssl packages is not encrypted, because the SQL query is readable in plain text. I've added a Wireshark file.

The pcap file has 2 connections in it. The first one is when the connection goes wrong (With Haskell TLS) and the second connection is when I connect with the mysql client in my cli. The messages that's most interesting is the message on Arrival Time: Jun 26, 2019 10:18:26.635008878 CEST in the first stream and has as info Ignored Unknown Record.
haskell-tls-bug.zip

Edit:
I've tried to connect with mysql-haskell-openssl and then the SSL connection works as intended.

[winterland1989]

This is a bug that's not very easy to debug since tls wrap the connection, could you directly send query packets using combinators from Database.MySQL.Connection to get more details?

[ocheron]

It looks writing and closing do not use the SSL stream (c instead of tc):

mysql-haskell/Database/MySQL/TLS.hs

Line 69 in 9aa839c

let conn = MySQLConn tlsIs' (write c) (TCP.close c) consumed

[winterland1989]

I see, it's introduced by this commit, Can you revert this and report the result?

[ocheron]

I don't use this package. The issue just caught my eye while looking at packages removed from stackage.