| Bug #25748 | my.ini (Windows) file demands Unix file syntax for SSL parameters | ||
|---|---|---|---|
| Submitted: | 22 Jan 2007 11:14 | Modified: | 5 Dec 2007 18:55 |
| Reporter: | Peter Laursen (Basic Quality Contributor) | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: Options | Severity: | S3 (Non-critical) |
| Version: | 5.0.32-33/5.1.14/5.2.0 | OS: | Windows (windows) |
| Assigned to: | CPU Architecture: | Any | |
| Tags: | my.cnf windows path my.ini, qc | ||
[22 Jan 2007 12:01]
MySQL Verification Team
Thank you for the bug report. Please clarify, in your my.ini you have: ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem or ssl-ca=cacert.pem ssl-cert=server-cert.pem ssl-key=server-key.pem under the [mysqld] section?. Thanks in advance.
[22 Jan 2007 14:58]
Peter Laursen
I tried both 1) With this ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem .. "show variables like 'have_openssl'" returns "YES" 2) and with this ssl-ca=cacert.pem ssl-cert=server-cert.pem ssl-key=server-key.pem .. "show variables like 'have_openssl'" returns "DISABLED" and connection is not possible in any case. With 1) the Windows msg "can't open ,ca-certificate file>" displays With 2) the response is as with a server without SSL support (what one would expect when 'have_openssl'" returns "DISABLED") And addition to my first post: the 5.0.33 server is a MySQL source distro (as compiled by Webyog) the 5.0.32, 5.1.14 and 5.2.0 are binaries built by MySQL)
[26 Jan 2007 7:56]
Magnus Blåudd
1) Please try with the full path to the cert files. I suspect that when running as service they are not found. And with "ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem" on one line in my.cnf I suspect you set the variable ssl-ca="cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem" so that's why mysqld believes it has initialised SSL correctly while it's actually are missing the --ssl-cert and --ssl-key settings.
[1 Feb 2007 9:32]
Peter Laursen
No change!
1)with this in .ini-file
ssl-ca=C:\Program Files\MySQL\MySQL Server 5.0\bin\cacert.pem --ssl-cert=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-cert.pem --ssl-key=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-key.pem
.. "show variables like 'have_openssl'" returns "YES" but a SSL connection error occurs. With Command line client as well as SQLyog 5.23
2) and with this
ssl-ca=C:\Program Files\MySQL\MySQL Server 5.0\bin\cacert.pem
ssl-cert=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-cert.pem
ssl-key=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-key.pem
.. the server starts without SSL ("show variables like 'have_openssl'" returns "DISABLED")
When server is started as a user process (from the folder that holds the files), no problem with either the full path or just the files as parameters and both clients.
BTW: I am a little surprised by the formulation "I suspect ...". Were you able to start MySQL as a Service on your system? I might "suspect" that you did not try? You have a Windows system, don't you?? :-)
[1 Feb 2007 12:22]
MySQL Verification Team
Thank you for the feedback. I edited the section [mysql] and [mysqld] of my.ini file like showed below (notice the Unix type path). C:\Arquivos de programas\MySQL\MySQL Server 5.0>type my.ini | findstr .pem ssl-ca="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/cacert.pem" ssl-cert="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/client-cert.pem" ssl-key="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/client-key.pem" ssl-ca="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/cacert.pem" ssl-cert="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/server-cert.pem" ssl-key="c:/Arquivos de programas/MySQL/MySQL Server 5.0/ssl/server-key.pem" C:\Arquivos de programas\MySQL\MySQL Server 5.0>net start mysql O serviço de MySQL foi iniciado com êxito. C:\Arquivos de programas\MySQL\MySQL Server 5.0>bin\mysql --defaults-file="C:\Arquivos de programas\MySQL\MySQL Server 5.0\my.ini" -uro ot -p -P3307 Enter password: ********* Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 to server version: 5.0.27-community-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> show variables like "%openssl%"; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | +---------------+-------+ 1 row in set (0.00 sec) mysql> Could you please try the above. Thanks in advance.
[1 Feb 2007 14:00]
Peter Laursen
Thanks! Actually only this: ssl-ca="c:/Program Files/MySQL/MySQL Server 5.0/bin/cacert.pem" ssl-cert="c:/Program Files/MySQL/MySQL Server 5.0/bin/server-cert.pem" ssl-key="c:/Program Files/MySQL/MySQL Server 5.0/bin/server-key.pem" .. will do in the [mysqld] section. No need for the client key and certificate. I admit that it was a little silly that I did not 'suspect' this ... :-) But on Windows both: datadir="C:\Program Files\MySQL\MySQL Server 5.0\Datatest" and datadir="C:/Program Files/MySQL/MySQL Server 5.0/Datatest" (note the non-standard path) .. will work. So why is the WIndows file format not allowed with the ssl-ca, ssl-cert and ssl-key ... parameters?
[1 Feb 2007 14:27]
MySQL Verification Team
Thank you for the feedback. I must agree with you, so I suggest you to change the bug report synopsis to reflect the actual issue with the Windows standard path and severity S4. Do you agree?. Thanks in advance.
[1 Feb 2007 14:38]
Peter Laursen
I changed the synopsis.
[1 Feb 2007 14:43]
Peter Laursen
But I do not agree that this is S4 (feature request). I think it is a (small) bug. But no big discussion ...
[1 Feb 2007 15:10]
MySQL Verification Team
Thank you for the bug report.
[4 Feb 2007 21:13]
Magnus Blåudd
Looks like I found the real cause to the problem. As we see from the tests above, there is no problem to use either unix, windows or "mixed" format when starting mysqld with command line arguments. But when using an ini file some problem appear. I wrote the below minimal my.cnf file. [mysqld] ssl-ca=test space ssl-cert1=c:\program files\test\client.pem ssl-cert2="c:\program files\test\client.pem" ssl-cert3="c:\\program files\\test\\client.pem" ssl-cert4="c:/program files/test/client.pem" ssl-ca=C:\Program Files\MySQL\MySQL Server 5.0\bin\cacert.pem ssl-cert=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-cert.pem ssl-key=C:\Program Files\MySQL\MySQL Server 5.0\bin\server-key.pem And tested to read it with our "my_print_defaults" program. As seen below it will mess up the characters after the second backslash and treat the \t as a tab character - that is the real reason why it does not works with the windows file format. $ ../extra/debug/my_print_defaults.exe --config-file=std_data/bug25748.cnf mysqld --ssl-ca=test space --ssl-cert1=c:\program files est\client.pem --ssl-cert2=c:\program files est\client.pem --ssl-cert3=c:\program files\test\client.pem --ssl-cert4=c:/program files/test/client.pem --ssl-ca=C:\Program Files\MySQL\MySQL Server 5.in\cacert.pem --ssl-cert=C:\Program Files\MySQL\MySQL Server 5.in erver-cert.pem --ssl-key=C:\Program Files\MySQL\MySQL Server 5.in erver-key.pem Workaround. Use double backslashes in my.ini and my.cnf when using the windows path format.
[3 Jan 2008 16:57]
sugumaran subramani
i am install in my system mysql in windows server 2003 issue this type of error how to rectify that ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
Description: I can start the MySQL server with SSL enabled with the command "mysqld --ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem" .. and next connect from client with mysql --ssl-ca=cacert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem However inserting ssl-ca=cacert.pem --ssl-cert=server-cert.pem --ssl-key=server-key.pem In the [mysqld] section of my.ini does have the desired effect! Server starts OK, the query "show variables like 'have_openssl';" returns "YES" How to repeat: 1) Install a MySQL server as a service 2) Edit the my.ini as described 3) start server ("net start ..." or use Mysql Administrator) 4) logon as root 5) create a SSL-user: "GRANT all on *.* to 'ssl_user'@'localhost' require ssl" and verify 'show variables like 'have_openssl';" ==> "YES" 6) Now try to connect with C:\Program Files\MySQL\MySQL Server 5.0\bin>mysql --ssl-ca=cacert.pem --ssl-cert =client-cert.pem --ssl-key=client-key.pem And now windows pop-ups its standard msg box "windows cannot open this file ..." However from one command line it works: 1) Start the server from command-line: C:\Program Files\MySQL\MySQL Server 5.0\bin>mysqld --ssl-ca=cacert.pem --ssl-cer t=server-cert.pem --ssl-key=server-key.pem 2) SSL-user is there allready! 3) and start the client from another command line: C:\Program Files\MySQL\MySQL Server 5.0\bin>mysql --ssl-ca=cacert.pem --ssl-cert =client-cert.pem --ssl-key=client-key.pem -ussl_user Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.0.33 Source distribution Type 'help;' or '\h' for help. Type '\c' to clear the buffer. Suggested fix: Document how to start MySQL as a service on Windows with SSL. And fix any issues there may be .....