Bug #54348 YaSSL rejects valid certificate which OpenSSL accepts
Submitted: 8 Jun 2010 19:00 Modified: 11 Jun 2012 16:41
Reporter: Harrison Fisk Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version:5.1.43sp1 OS:Any
Assigned to: CPU Architecture:Any
Tags: openssl, SSL, yassl

[8 Jun 2010 19:00] Harrison Fisk 
Description:
There are valid certificates that YaSSL will reject but OpenSSL will allow.  I have tried both with the bundled YaSSL and also the newer 1.9.9 release and both failed.

This is a bigger problem since MySQL 4.1 used to be compiled against OpenSSL and now 5.0 uses YaSSL which causes issues with upgrading.

YaSSL running under debug gives the error:

error: ASN: bad Ojbect ID Header

Full debug trace:

T@9 : | <sslaccept
T@9 : | >ssl_do
T@9 : | | enter: ptr: 0x873b010, sd: 76 ctx: 0x873b020
T@9 : | | >vio_blocking
T@9 : | | | enter: set_blocking_mode: 1 old_mode: 0
T@9 : | | | exit: 0
T@9 : | | <vio_blocking
T@9 : | | info: ssl: 0x8cf0b10 timeout: 10
T@9 : | | error: SSL_connect/accept failure
T@9 : | | >report_errors
T@9 : | | | error: error: ASN: bad Ojbect ID Header
T@9 : | | | info: socket_errno: 0
T@9 : | | <report_errors
T@9 : | | >vio_blocking
T@9 : | | | enter: set_blocking_mode: 0 old_mode: 1
T@9 : | | | exit: 0
T@9 : | | <vio_blocking
T@9 : | <ssl_do

How to repeat:
See attached private certificates.

Start MySQL with:

[mysqld]
ssl-ca=cacert.pem
ssl-cert=mysql-cert.pem
ssl-key=mysql-key.pem

[client]
ssl-ca=cacert.pem

Start using YaSSL MySQL and try to connect. 
Start using OpenSSL linked MySQL and try to connect.

Suggested fix:
Allow YaSSL to accept the certificate.
[11 Jun 2012 16:41] Paul DuBois 
Noted in 5.1.64, 5.5.26, 5.6.6 changelogs.

yaSSL rejected valid SSL certificates that OpenSSL accepts.