Bug #19653 YaSSL: is passphrase removing optional for keys?
Submitted: 9 May 2006 21:49 Modified: 26 Oct 2007 2:50
Reporter: Yuriy Pavlyutkin Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S2 (Serious)
Version:5.0.21 OS:Any
Assigned to: Paul DuBois CPU Architecture:Any

[9 May 2006 21:49] Yuriy Pavlyutkin
Description:
 Manual. 5.9.7.4. Setting Up SSL Certificates for MySQL:

1. Server key
_______________________________________________
...
#
# Remove the passphrase from the key (optional)
#

openssl rsa -in $DIR/server-key.pem -out $DIR/server-key.pem
...
_______________________________________________

 Passphrase removing from Key-files is not optional for this time:
 
 When passphrase is not removed, server silently starts (without password input prompt), but on attemting to establish SSL-connections mysql.exe crushes with error "Memory can't be written" and server silently stops.

====================================

1. Client key
_______________________________________________
...
#
# Remove a passphrase from the key (optional)
#
openssl rsa -in $DIR/client-key.pem -out $DIR/client-key.pem
....
_______________________________________________

 When passphrase is not removed, mysql.exe crashes with error "Memory  can't be read" instead password prompt.

How to repeat:
 Make server or client private key and don't remove passphrase.

my.ini example:
--------------
[client]
port=3307

ssl=1
ssl-ca="Z:/MySQL_50/Certs/CA/CACert.pem"
ssl-cert="Z:/MySQL_50/Certs/ClientCert2.pem"
ssl-key="Z:/MySQL_50/Certs/ClientKey2.pem"

[mysql]

default-character-set=latin1

[mysqld]
port=3307
basedir="Z:/MySQL_50/"

### SSL - Enabling YaSSL services
ssl=1
ssl-cipher=ALL:-DES:-RC2:-RC4:-MD5
ssl-ca="CA/CACert.pem"
ssl-capath="Certs/CA"
ssl-cert="Certs/ServerCert.pem" 
ssl-key="Certs/ServerKey.pem" 
...
------------

mysql.exe --host=localhost -p -P53307 -uroot --ssl=1

Suggested fix:
 First time use server and client keys only without passphrase.

 I can't to say that server keys, protected by passphrase support addition can increase server's security, but as to encrypted private keys support for client side, I think, it has reason.
[13 May 2006 18:15] Yuriy Pavlyutkin
From Todd Ouska (YaSSL):
 MySQL uses yaSSL in OpenSSL compatibility mode, they
don't call SSL_CTX_set_default_passwd_cb and I haven't
implemented it in that mode.  But I'm sure we can
change that...

In the meantime, you could use a script that gets the
password from input, decrypts the file to a temp file,
use the temp file, and then remove it after zeroing
it.
[28 Aug 2006 11:29] Domas Mituzas
passphrase removal is mandatory for keys.

Both MySQL server and client crash if are given encrypted keys, see #21868, as well as:

#4  0x002624eb in TaoCrypt::Base64Decoder::Decode (this=0xbfffea10) at coding.cpp:243
#5  0x00243de2 in yaSSL::PemToDer (file=0xa000bd00, type=PrivateKey) at ../taocrypt/include/coding.hpp:87
#6  0x0024a577 in yaSSL::read_file (ctx=0x1100770, file=0x1100500 "/Users/midom/Tests/yassl/certs/client-key.pem", format=11, type=PrivateKey) at ssl.cpp:96
#7  0x0024ae8b in yaSSL_CTX_use_PrivateKey_file (ctx=0x1100770, file=0x1100500 "/Users/midom/Tests/yassl/certs/client-key.pem", format=11) at ssl.cpp:515
#8  0x0023f0cf in vio_set_cert_stuff (ctx=0x1100770, cert_file=0x1100530 "/Users/midom/Tests/yassl/certs/client-cert.pem", key_file=0x1100500 "/Users/midom/Tests/yassl/certs/client-key.pem") at viosslfactories.c:100
#9  0x0023f7af in new_VioSSLFd (key_file=0x1100500 "/Users/midom/Tests/yassl/certs/client-key.pem", cert_file=0x1100530 "/Users/midom/Tests/yassl/certs/client-cert.pem", ca_file=0x1100560 "/Users/midom/Tests/yassl/certs/ca-cert.pem", ca_path=0x0, cipher=0x0, method=0x1100750) at viosslfactories.c:268
#10 0x0023f8cb in new_VioSSLConnectorFd (key_file=0x1100500 "/Users/midom/Tests/yassl/certs/client-key.pem", cert_file=0x1100530 "/Users/midom/Tests/yassl/certs/client-cert.pem", ca_file=0x1100560 "/Users/midom/Tests/yassl/certs/ca-cert.pem", ca_path=0x0, cipher=0x0) at viosslfactories.c:295
#11 0x00238f3b in mysql_real_connect (mysql=0x26540, host=0x27cba4 "localhost", user=0x1100220 "root", passwd=0x27c2ec "", db=0x0, port=0, unix_socket=0x1100230 "socket", client_flag=241285) at client.c:2184
#12 0x000047af in sql_connect (host=0x0, database=0x0, user=0x1100220 "root", password=0x0, silent=0) at mysql.cc:3216
#13 0x0000a561 in main (argc=8, argv=0x1100290) at mysql.cc:412

Verified at: 

5.1.12-bk@1.2285
5.0.25-bk@1.2251
[26 Oct 2007 2:50] Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

Updated documentation to not say that password removal for certificates is optional.