Bug #22560 MySQL doesnt load the SSL keys from my.cnf file
Submitted: 21 Sep 2006 17:27 Modified: 22 Sep 2006 16:14
Reporter: pavel pragin Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.1.21 OS:Linux (RHEL4)
Assigned to: CPU Architecture:Any
Tags: keys, my.cnf, SSL

[21 Sep 2006 17:27] pavel pragin 
Description:
I am unable to get MySQL to load the SSL keys by specifying them in the /usr/local/bin/data/my.cnf file. The only way I am able to load them is by specifying them explicitly in the mysql start statement. Do you have any idea how i can get the keys to load from the config file instead?

Pavel Pragin 

How to repeat:
DOESNT WORK:
1.
Added this to /usr/local/bin/data/my.cnf:
[SSL KEYS]
ssl-ca=/sslcert/openssl/cacert.pem
ssl-cert=/sslcert/openssl/server-cert.pem
ssl-key=/sslcert/openssl/server-key.pem

2. Restarted MySQL
[root@rock etc]# ps -ef | grep mysql
root     10347     1  1 19:30 pts/2    00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/usr/local/mysql/data --pid-file=/usr/local/mysql/data/rock.pid
mysql    10386 10347  2 19:30 pts/2    00:00:00 /usr/local/mysql/libexec/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/rock.pid --skip-external-locking --port=3306 --socket=/tmp/mysql.sock

3. Try to connect using SSL
[root@iron sslkeys]# mysql -u backup-user  -pzmanda -h rock.zmanda.com --ssl-ca=/sslkeys/cacert.pem --ssl-cert=/sslkeys/client-cert.pem --ssl-key=/sslkeys/client-key.pem
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.21-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> \s
--------------
mysql  Ver 14.7 Distrib 4.1.21, for pc-linux-gnu (i686) using  EditLine wrapper

Connection id:          1
Current database:
Current user:           backup-user@iron.zmanda.com
SSL:                    Not in use
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         4.1.21-log
Protocol version:       10
Connection:             rock.zmanda.com via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
TCP port:               3306
Uptime:                 1 min 12 sec

Threads: 1  Questions: 3  Slow queries: 0  Opens: 11  Flush tables: 1  Open tables: 5  Queries per second avg: 0.042
--------------

4. As you can see "SSL: Not in use" so the client didnt connect using SSL

WORKS:

1. Start MySQL using these arguments:
[root@rock ~]# /usr/local/mysql/libexec/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/quartz.pid --skip-external-locking --port=3306 --socket=/tmp/mysql.sock --ssl-ca=/sslcert/openssl//cacert.pem --ssl-cert=/sslcert/openssl/server-cert.pem --ssl-key=/sslcert/openssl/server-key.pem
060920 19:29:57  InnoDB: Started; log sequence number 0 44688
/usr/local/mysql/libexec/mysqld: ready for connections.
Version: '4.1.21-log'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution

2. Try to connect to client using SSL
[root@iron sslkeys]# mysql -u backup-user  -pzmanda -h rock.zmanda.com --ssl-ca=/sslkeys/cacert.pem --ssl-cert=/sslkeys/client-cert.pem --ssl-key=/sslkeys/client-key.pem
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.21-log

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> \s
--------------
mysql  Ver 14.7 Distrib 4.1.21, for pc-linux-gnu (i686) using  EditLine wrapper

Connection id:          1
Current database:
Current user:           backup-user@iron.zmanda.com
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         4.1.21-log
Protocol version:       10
Connection:             rock.zmanda.com via TCP/IP
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    latin1
Conn.  characterset:    latin1
TCP port:               3306
Uptime:                 9 sec

Threads: 1  Questions: 3  Slow queries: 0  Opens: 11  Flush tables: 1  Open tables: 5  Queries per second avg: 0.333
--------------

3. In this case the SSL connection is established:
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
[22 Sep 2006 8:36] Sveta Smirnova 
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

Read carefully about configuration file format here: http://dev.mysql.com/doc/refman/4.1/en/option-files.html
[22 Sep 2006 16:14] pavel pragin 
The solution is the keys have to be placed under "[mysqld]" section of the my.cnf file to be loaded:

[mysqld]
ssl-ca=/sslcert/openssl/cacert.pem
ssl-cert=/sslcert/openssl/server-cert.pem
ssl-key=/sslcert/openssl/server-key.pem