Bug #11548 Not recognizing ssl-ca, ssl-cert and ssl-key variables in my.cnf
Submitted: 24 Jun 2005 16:45 Modified: 7 Jul 2005 0:48
Reporter: Matthew Schultz Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.1.12 OS:Linux (CentOS 4 (Derivative of Redhat))
Assigned to: CPU Architecture:Any

[24 Jun 2005 16:45] Matthew Schultz
Description:
I compiled mysql from source and enabled ssl with these switches: --with-openssl --with-vio.  When I log in and run the command SHOW VARIABLES, it shows that have_openssl is YES.  When I attempt to add ssl-ca, ssl-cert and ssl-key variables to the /etc/my.cnf file and then execute mysqlbinlog, it shows this: mysqlbinlog: unknown variable 'ssl-ca=/etc/httpd/conf/ssl/certs/ca_authority.crt'.  When I attempt an SSL connection from my computer or another server, it refuses it every time (The grant privilege for the account is set with REQUIRE SSL).

How to repeat:
1. Compile mysql 4.1.12 on CentOS 4 with the --with-openssl --with-vio switches
2. Add ssl-ca, ssl-cert and ssl-key variables to the my.cnf file
3. Execute mysqlbinlog

Suggested fix:
Allow SSL connections to CentOS servers when openssl is compiled into mysql.
[24 Jun 2005 17:08] Matthew Schultz
I should also mention that I ran a make test and I got this:
openssl_1                      [ skipped ]
[24 Jun 2005 17:20] Matthew Schultz
The openssl version is: 0.9.7a
[4 Jul 2005 3:11] Lucian Kafka
Same issue using the RPMs Linux x86 for both 4.1.11, 4.1.12-1
[4 Jul 2005 3:13] Lucian Kafka
Running on Fedora Core 3 I should have mentioned in the post above.
[6 Jul 2005 22:10] MySQL Verification Team
mysqlbinlog not recognize the ssl variables, then use the prefix
loose in your my.cnf for those variables. I verified using the mysql
client with the ssl variables in the my.cnf and  from the command
line:

miguel@hegel:/share/dbs/4.1$ bin/mysql -umiguel -p  \
> --ssl-ca=/home/miguel/SSL/cacert.pem \
> --ssl-cert=/home/miguel/SSL/client-cert.pem \
> --ssl-key=/home/miguel/SSL/client-key.pem
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 4.1.13-debug-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show variables like "%openssl%";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+
1 row in set (0.00 sec)
[7 Jul 2005 0:31] Matthew Schultz
Did you try running make test?  When I ran that, it said openssl failed to build in which leads me to believe that what is being shown in SHOW VARIABLES is in fact false.
[7 Jul 2005 0:33] Matthew Schultz
What do you mean by this statement: then use the prefix
loose in your my.cnf for those variables

What is this prefix, loose?
[7 Jul 2005 0:48] MySQL Verification Team
You be aware that not all the clients and tools support the same
variables, then how you verified mysqlbinlog aborts with errors
messages, for to avoid this you should use in the client group:

[client]
loose-ssl-ca=/home/miguel/SSL/cacert.pem
loose-ssl-cert=/home/miguel/SSL/client-cert.pem
loose-ssl-key=/home/miguel/SSL/client-key.pem

in this way tools and client ignores variables not supported.