Bug #59325 | OpenSSL generated key/certificate required for SSL/TLS connections | ||
---|---|---|---|
Submitted: | 6 Jan 2011 10:06 | Modified: | 25 Dec 2012 22:47 |
Reporter: | Dave Kelly | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Options | Severity: | S3 (Non-critical) |
Version: | 5.5.8 GA | OS: | Windows (WS 2008 Std SP2 x86 32-bit) |
Assigned to: | CPU Architecture: | Any | |
Tags: | certificate, ERROR 2026, hy000, key, openssl, PEM, SSL, SSL connection error, tls, WinSock Error 10054, WSAECONNRESET |
[6 Jan 2011 10:06]
Dave Kelly
[9 Jan 2011 12:20]
Dave Kelly
Changed Synopsis from: "MySQL Server will not accept SSL or TLS connections"; to: "OpenSSL generated key/certificate required for SSL/TLS connections". See my last entry for Bug #59227 (dated 2011-01-09). (http://bugs.mysql.com/bug.php?id=59227) FYI: apparently the 'openssl s_client' utility does not work; at least not for testing SSL connections with MySQL server. Even after getting SSL/TLS working between MySQL server/clients, the openssl s_client utility continued to complain about various errors, which did not seem to exist. (?)
[20 Dec 2012 18:22]
Sveta Smirnova
Thank you for the report. I get different md5 when verify your certificate and private key using method described at https://www.sslshopper.com/certificate-key-matcher.html How did you create keys and certificates?
[21 Dec 2012 8:59]
Dave Kelly
Hi Sveta - wow, that was 2 years ago! Let's see if I can recall... I'm sorry for not making it clear - the certs and key (attached to this posting) were the one's that actually work. I created them using an OpenSSL CA (DAWKCo NetSecurity Open Root CA). I should point out that the web-based test you referenced (sslshopper.com) must have corrupted the cert or key data in transmission or something. I just tested the cert and key files locally using OpenSSL and the md5 hashes match, as follows: C:\Apache22\bin>openssl x509 -noout -modulus \ -in ns1.dawkco.com-cert.pem | openssl md5 (stdin)= 31bf164e1534f42bf3c5c0b67dac4103 C:\Apache22\bin>openssl rsa -noout -modulus \ -in ns1.dawkco.com-key.pem | openssl md5 (stdin)= 31bf164e1534f42bf3c5c0b67dac4103 The original certs and keys that would not work were issued by a Windows Server 2008 certificate services CA (DAWKCo NetSecurity Root CA). The cert and key were originally in a PFX file and I used OpenSSL to extract the cert and key into separate PEM files, as follows: openssl pkcs12 -in "combined-cert.pfx" \ -out "combined-cert.pem" -clcerts -nodes openssl x509 -inform PEM -outform PEM \ -in "combined-cert.pem" -out "tls-cert.pem" openssl pkey -inform PEM -outform PEM \ -in "combined-cert.pem" -out "tls-key.pem" I know they were good because the original cert was in use by the computer account for authentication in the Windows domain and the extracted cert/key PEMs were successfully used for https on an apache web server. To get the full history and all the gory details, you really need to read the other post that I referenced earlier in this post (Bug #59227): http://bugs.mysql.com/bug.php?id=59227 I believe the original cert/key that wouldn't work with MySQL were attached to that posting. You may get some good clues from the info there.
[21 Dec 2012 9:10]
Dave Kelly
Sveta, As I said, it was so long ago, I guess I'm not 100% sure now about the status of the cert/key files uploaded back then (although the hashes did match OK just now). What I do know for sure is that a valid cert/key issued by a Windows CA would not work with MySQL, while a cert/key issued by an OpenSSL CA did work with MySQL. That's all I'm really saying.
[25 Dec 2012 15:51]
Sveta Smirnova
Thank you for the feedback. Verified as described. Changing BEGIN/END TRUSTED CERTIFICATE to BEGIN/END CERTIFICATE or using command `openssl x509 -in cacert.pem -out cacert.pem` solved issue. Not sure if this should be server or documentation bug.
[25 Dec 2012 22:47]
Dave Kelly
Sveta, Well, it seems to me that if a TLS certificate and key are valid, then MySQL should just work with them without the user having to modify the cert or key. So, IMHO this should be handled as a server bug - at least for future versions. However, a documentation update could provide this work-around for current/prior versions.
[10 Oct 2014 7:30]
Daniƫl van Eeden
It looks similar to Bug #71271, but that is related to the key and this bug is related to the certificate. More details about 'trusted' certificates: https://www.openssl.org/docs/apps/x509.html#TRUST_SETTINGS