Bug #20040 SSL connections do not affect SSL statistics in STATUS output
Submitted: 24 May 2006 10:46 Modified: 28 Feb 2007 22:25
Reporter: Domas Mituzas Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Options Severity:S3 (Non-critical)
Version:5.1-bk, 5.0.38 OS:Any (*)
Assigned to:
Triage: Triaged: D3 (Medium)

[24 May 2006 10:46] Domas Mituzas
Description:
At ChangeSet@1.2182, 2006-05-24 09:28:37+02:00, knielsen@mysql.com

SHOW STATUS has SSL statistics which are not touched by YaSSL at all:

mysql> status
--------------
mysql  Ver 14.12 Distrib 5.1.12-beta, for apple-darwin8.6.1 (i686) using readline 5.0
SSL:                    Cipher in use is DHE-RSA-AES256-SHA

How to repeat:
Same output is for SHOW STATUS and SHOW GLOBAL STATUS:

| Com_show_processlist           | 0                                                                                                                                                                                                                                                               | 
| Ssl_accept_renegotiates        | 0                                                                                                                                                                                                                                                               | 
| Ssl_accepts                    | 0                                                                                                                                                                                                                                                               | 
| Ssl_callback_cache_hits        | 0                                                                                                                                                                                                                                                               | 
| Ssl_cipher                     | DHE-RSA-AES256-SHA                                                                                                                                                                                                                                              | 
| Ssl_cipher_list                | DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES256-RMD:AES128-RMD:DES-CBC3-RMD:DHE-RSA-AES256-RMD:DHE-RSA-AES128-RMD:DHE-RSA-DES-CBC3-RMD:DHE-DSS-AES256-RMD:DHE-DSS-AES128-RMD:DHE-DSS-DES-CBC3-RMD:RC4- | 
| Ssl_client_connects            | 0                                                                                                                                                                                                                                                               | 
| Ssl_connect_renegotiates       | 0                                                                                                                                                                                                                                                               | 
| Ssl_ctx_verify_depth           | 0                                                                                                                                                                                                                                                               | 
| Ssl_ctx_verify_mode            | 0                                                                                                                                                                                                                                                               | 
| Ssl_default_timeout            | 500                                                                                                                                                                                                                                                             | 
| Ssl_finished_accepts           | 0                                                                                                                                                                                                                                                               | 
| Ssl_finished_connects          | 0                                                                                                                                                                                                                                                               | 
| Ssl_session_cache_hits         | 0                                                                                                                                                                                                                                                               | 
| Ssl_session_cache_misses       | 0                                                                                                                                                                                                                                                               | 
| Ssl_session_cache_mode         | Unknown                                                                                                                                                                                                                                                         | 
| Ssl_session_cache_overflows    | 0                                                                                                                                                                                                                                                               | 
| Ssl_session_cache_size         | 0                                                                                                                                                                                                                                                               | 
| Ssl_session_cache_timeouts     | 0                                                                                                                                                                                                                                                               | 
| Ssl_sessions_reused            | 0                                                                                                                                                                                                                                                               | 
| Ssl_used_session_cache_entries | 0                                                                                                                                                                                                                                                               | 
| Ssl_verify_depth               | 0                                                                                                                                                                                                                                                               | 
| Ssl_verify_mode                | 0                                                                                                                                                                                                                                                               | 
| Ssl_version                    | TLSv1                                                                                                                                                                                                                                                           | 

Suggested fix:
Improve statistics code
[25 Feb 2007 21:48] Shane Bester
searching the source code, I don't see any place where void yaSSL::SSL_CTX::IncrementStats method is called.
[17 Dec 2009 21:55] Michael Weck
This is also an issue with openssl
mysql version 5.0.51a-24+lenny2-log (debian lenny distribution)

All ssl_* stats in status are 0
[14 May 2013 9:47] Laurynas Biveinis
Is bug 59635 a duplicate?
[12 Jan 10:02] Daniël van Eeden
This also affects 5.6, 5.7, 8.0.

Monitoring for (almost) expiring SSL certificates is diffucult because the Ssl_server_not_after status variable remains empty.
[12 Jan 15:32] Daniël van Eeden
5.7 w/ YaSSL actually does show Ssl_server_not_after and Ssl_server_not_before.

Related commit:
commit 18ce7f96b21c2be1beb38e6835567e1780f2a6f5
Author: Georgi Kodinov <Georgi.Kodinov@Oracle.com>
Date:   Tue Mar 29 11:01:07 2011 +0300

    Bug #11764778: server feature request - expose ssl certificate details
      in show global st
    
    There was no easy way to get the expiration dates of the server's
    certificate.
    
    Implemented two session status variables (Ssl_server_not_before and
    Ssl_server_not_after) with the same scope as e.g. Ssl_verify_depth to
    return the two dates in a format similar to OpenSSL's ASN1_TIME_print.
    
    Since yaSSL doesn't preserve the parsed server certificate beyond
    reading it, the diff extends yaSSL to preserve it and return it
    through SSL_get_certificate().  Also fixed the storage of the
    certificate expiration dates to have the ASN1_TIME subtype.
    
    Implemented an yaSSL specific extension function
    yaSSL_ASN1_TIME_to_string() to return the string representation of the
    date in an ASN1_TIME  in a format similar to OpenSSL's format.
    
    Created a wrapper in MySQL to call either ASN1_TIME_print() or
    yaSSL_ASN1_TIME_to_string() depending on the library type.
    
    Did some type cleanups of some of the internal yaSSL functions.
    
    Test case added.

This commit was around 5.6.3-m5.

commit 1ffd2ad62219dd24a54542f8b98a1cd9be96fbb5
Author: Georgi Kodinov <georgi.kodinov@oracle.com>
Date:   Fri Mar 27 15:08:03 2015 +0200

    Bug #20648276 SSL-RELATED GLOBAL STATUS INFORMATION ONLY AVAILABLE
      WHEN CONNECTED USING --SSL
    
    * Created a read-only SSL context to allow reading of the
      SSL attributes for the server SSL Context
    * Used the new read-only SSL context instead of the connected
      SSL context in Ssl_server_not_before/Ssl_server_not_after.
    * Test case added.
    * Fixed a non-unix line ending in ha_federated.cc

This commit was around 5.7.8-rc.

So that's why this doesn't work with 5.6.x unless using SSL to connect.