Bug #25748 my.ini (Windows) file demands Unix file syntax for SSL parameters
Submitted: 22 Jan 2007 11:14 Modified: 5 Dec 2007 18:55
Reporter: Peter Laursen (Basic Quality Contributor) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Options Severity:S3 (Non-critical)
Version:5.0.32-33/5.1.14/5.2.0 OS:Microsoft Windows (windows)
Assigned to: CPU Architecture:Any
Tags: my.cnf windows path my.ini, qc
Triage: Triaged: D4 (Minor)

[22 Jan 2007 11:14] Peter Laursen
Description:
I can start the MySQL server with SSL enabled with the command
"mysqld --ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem"

.. and next connect from client with 
mysql --ssl-ca=cacert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem

However inserting 

ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem

In the [mysqld] section of my.ini does have the desired effect!  Server starts OK, the query "show variables like 'have_openssl';" returns "YES"

How to repeat:
1) Install a MySQL server as a service 
2) Edit the my.ini as described
3) start server ("net start ..." or use Mysql Administrator)
4) logon as root 
5) create a SSL-user: "GRANT all on *.* to 'ssl_user'@'localhost' require ssl" 
and verify 'show variables like 'have_openssl';"  ==> "YES"
6) Now try to connect with 

C:\Program Files\MySQL\MySQL Server 5.0\bin>mysql --ssl-ca=cacert.pem --ssl-cert
=client-cert.pem --ssl-key=client-key.pem

And now windows pop-ups its standard msg box "windows cannot open this file ..."

However from one command line it works:

1)
Start the server from command-line:

C:\Program Files\MySQL\MySQL Server 5.0\bin>mysqld --ssl-ca=cacert.pem --ssl-cer
t=server-cert.pem --ssl-key=server-key.pem

2)
SSL-user is there allready!

3)
and start the client from another command line:

C:\Program Files\MySQL\MySQL Server 5.0\bin>mysql --ssl-ca=cacert.pem --ssl-cert
=client-cert.pem --ssl-key=client-key.pem -ussl_user
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.0.33 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

Suggested fix:
Document how to start MySQL as a service on Windows with SSL.
And fix any issues there may be .....
[22 Jan 2007 12:01] Miguel Solorzano
Thank you for the bug report. Please clarify, in your my.ini you have:

ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem

or

ssl-ca=cacert.pem 
ssl-cert=server-cert.pem 
ssl-key=server-key.pem

under the [mysqld] section?. Thanks in advance.
[22 Jan 2007 14:58] Peter Laursen
I tried both

1) With this
ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem
.. "show variables like 'have_openssl'" returns "YES" 

2) and with this

ssl-ca=cacert.pem 
ssl-cert=server-cert.pem 
ssl-key=server-key.pem
.. "show variables like 'have_openssl'" returns "DISABLED"

and connection is not possible in any case.

With 1) the Windows msg "can't open ,ca-certificate file>" displays
With 2) the response is as with a server without SSL support (what one would expect when 'have_openssl'" returns "DISABLED")

And addition to my first post: the 5.0.33 server is a MySQL source distro (as compiled by Webyog) the 5.0.32, 5.1.14 and 5.2.0 are binaries built by MySQL)
[26 Jan 2007 7:56] Magnus Blåudd
1) Please try with the full path to the cert files. I suspect that when running as service they are not found.

And with "ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem" on one line in my.cnf I suspect you set the variable ssl-ca="cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem" so that's why mysqld believes it has initialised SSL correctly while it's actually are missing the --ssl-cert and --ssl-key settings.
[1 Feb 2007 9:32] Peter Laursen
No change!

1)with this in .ini-file

ssl-ca=C:\Program Files\MySQL\MySQL Server 5.0\bin\cacert.pem --ssl-cert=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-cert.pem --ssl-key=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-key.pem
.. "show variables like 'have_openssl'" returns "YES" but a SSL connection error occurs.  With Command line client as well as SQLyog 5.23

2) and with this

ssl-ca=C:\Program Files\MySQL\MySQL Server 5.0\bin\cacert.pem 
ssl-cert=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-cert.pem 
ssl-key=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-key.pem
.. the server starts without SSL ("show variables like 'have_openssl'" returns "DISABLED")

When server is started as a user process (from the folder that holds the files), no problem with either the full path or just the files as parameters and both clients.

BTW: I am a little surprised by the formulation "I suspect ...".  Were you able to start MySQL as a Service on your system?  I might "suspect" that you did not try? You have a Windows system, don't you?? :-)
[1 Feb 2007 12:22] Miguel Solorzano
Thank you for the feedback. I edited the section [mysql] and [mysqld] of my.ini
file like showed below (notice the Unix type path).

C:\Arquivos de programas\MySQL\MySQL Server 5.0>type my.ini | findstr .pem
ssl-ca="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/cacert.pem"
ssl-cert="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/client-cert.pem"
ssl-key="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/client-key.pem"
ssl-ca="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/cacert.pem"
ssl-cert="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/server-cert.pem"
ssl-key="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/server-key.pem"

C:\Arquivos de programas\MySQL\MySQL Server 5.0>net start mysql

O serviço de MySQL foi iniciado com êxito.

C:\Arquivos de programas\MySQL\MySQL Server 5.0>bin\mysql --defaults-file="C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini" -uro
ot -p -P3307
Enter password: *********
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 5.0.27-community-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show variables like "%openssl%";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
+---------------+-------+
1 row in set (0.00 sec)

mysql>

Could you please try the above. Thanks in advance.
[1 Feb 2007 14:00] Peter Laursen
Thanks!

Actually only this:

ssl-ca="c:/Program Files/MySQL/MySQL Server 5.0/bin/cacert.pem"
ssl-cert="c:/Program Files/MySQL/MySQL Server 5.0/bin/server-cert.pem"
ssl-key="c:/Program Files/MySQL/MySQL Server 5.0/bin/server-key.pem"

.. will do in the [mysqld] section.  No need for the client key and certificate.

I admit that it was a little silly that I did not 'suspect' this ... :-)

But on Windows both:

datadir="C:\Program Files\MySQL\MySQL Server 5.0\Datatest"
and
datadir="C:/Program Files/MySQL/MySQL Server 5.0/Datatest" 
(note the non-standard path)

.. will work.  So why is the WIndows file format not allowed with the 
ssl-ca, 
ssl-cert 
and ssl-key 
... parameters?
[1 Feb 2007 14:27] Miguel Solorzano
Thank you for the feedback. I must agree with you, so I suggest you to
change the bug report synopsis to reflect the actual issue with the
Windows standard path and severity S4. Do you agree?. Thanks in advance.
[1 Feb 2007 14:38] Peter Laursen
I changed the synopsis.
[1 Feb 2007 14:43] Peter Laursen
But I do not agree that this is S4 (feature request).
I think it is a (small) bug.
But no big discussion ...
[1 Feb 2007 15:10] Miguel Solorzano
Thank you for the bug report.
[4 Feb 2007 21:13] Magnus Blåudd
Looks like I found the real cause to the problem. 

As we see from the tests above, there is no problem to use either unix, windows or "mixed" format when starting mysqld with command line arguments. But when using an ini file some problem appear. I wrote the below minimal my.cnf file.

[mysqld]
ssl-ca=test space
ssl-cert1=c:\program files\test\client.pem
ssl-cert2="c:\program files\test\client.pem"
ssl-cert3="c:\\program files\\test\\client.pem"
ssl-cert4="c:/program files/test/client.pem"
ssl-ca=C:\Program Files\MySQL\MySQL Server 5.0\bin\cacert.pem
ssl-cert=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-cert.pem
ssl-key=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-key.pem

And tested to read it with our "my_print_defaults" program. As seen below it will mess up the characters after the second backslash and treat the \t as a tab character - that is the real reason why it does not works with the windows file format.

$ ../extra/debug/my_print_defaults.exe --config-file=std_data/bug25748.cnf mysqld
--ssl-ca=test space
--ssl-cert1=c:\program files    est\client.pem
--ssl-cert2=c:\program files    est\client.pem
--ssl-cert3=c:\program files\test\client.pem
--ssl-cert4=c:/program files/test/client.pem
--ssl-ca=C:\Program Files\MySQL\MySQL Server 5.in\cacert.pem
--ssl-cert=C:\Program Files\MySQL\MySQL Server 5.in erver-cert.pem
--ssl-key=C:\Program Files\MySQL\MySQL Server 5.in erver-key.pem

Workaround. Use double backslashes in my.ini and my.cnf when using the windows path format.
[3 Jan 2008 16:57] sugumaran subramani
i am install in my system mysql in windows server 2003 issue this type of error how to rectify that ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)