MySQL Bugs: #57648: server feature request - expose SSL certificate details in SHOW GLOBAL STATUS

Bug #57648	server feature request - expose SSL certificate details in SHOW GLOBAL STATUS
Submitted:	22 Oct 2010 4:57	Modified:	26 Apr 2011 14:29
Reporter:	Andrew Dalgleish	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: General	Severity:	S3 (Non-critical)
Version:		OS:	Any
Assigned to:	Georgi Kodinov	CPU Architecture:	Any

Description:
There is no way to remotely check when an SSL certificate is due to expire.

If we expose the certificate expiry date in the SHOW GLOBAL STATUS, we can then check for upcoming expiry dates before they catch us by surprise.

There is a work-around by loading the certificate file into a table using LOAD FILE etc, but this requires a user with FILE privs, and the certificate file must be within the secure-file-priv path.

How to repeat:
n/a

Turned out that the YaSSL implementation is severely lacking in options to parse and return the notBefore and notAfter dates. There's a function to check them against a date, but no way to extract them.
OpenSSL has ASN1_TIME_print() that can be relatively easy to implement, but it requires an implementation of the BIO functions that is also lacking from yaSSL's bundled version.

Noted in 5.6.3 changelog.

The server now exposes SSL certificate expiration dates through the
Ssl_not_before and Ssl_server_not_after status variables. Both
variables have values in ANSI time format (for example, Sep 12
16:22:06 2013 GMT), or are blank for non-SSL connections.

CHANGESET - http://lists.mysql.com/commits/134117