Bug #26760 SSL support missing from 5.1.15-0 x86_64 Client Programs?
Submitted: 1 Mar 2007 18:13 Modified: 19 Dec 2008 18:27
Reporter: Darryl Rodden Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Compiling Severity:S3 (Non-critical)
Version:5.1.15-0, 5.0 OS:Linux (Linux x86_64, 32-bit)
Assigned to: Joerg Bruehe CPU Architecture:Any
Tags: build, Client Programs, cyassl, SSL
Triage: Triaged: D3 (Medium)

[1 Mar 2007 18:13] Darryl Rodden

The 5.1.15-0 client programs (MySQL-client-5.1.15-0.glibc23.x86_64.rpm) for "Linux AMD64 / Intel EM64T generic RPM downloads" do not appear to have SSL compiled into them.  The mysql program will not allow the ssl-ca, ssl-cert, or ssl-key parameters on the command line or in the "my.cnf" file.  It gives me this error:  
mysql: unknown variable 'ssl-ca=/home/drodden/ca-cert.pem'

The program help also does not list the ssl options (mysql --help --verbose).

If I install the GA release client programs (MySQL-client-standard-5.0.27-0.rhel4.x86_64.rpm), it works correctly.


How to repeat:
Install the 5.1.15 client programs (MySQL-client-5.1.15-0.glibc23.x86_64.rpm) on an x86_64 client.

Make a SSL connection to a server:

mysql --ssl-ca=<ca-filename> --ssl-cert=<cert-filename> --ssl-key=<key-filename> -h<hostname> -u<username> -p

You can also try putting the SSL parameters into the my.cnf file and it will fail there as well.
[1 Mar 2007 21:24] Valeriy Kravchuk
Thank you for a problem report. Please, try to repeat with a newer version, 5.1.16 (just released), and inform about the results.
[1 Mar 2007 22:32] Darryl Rodden
I tried the MySQL-client-5.1.16-0.glibc23.x86_64.rpm and had the same result.  With both versions, the client seems to work correctly except for the SSL capability.  If I remove the SSL options from the my.cnf, it works.

I also tried the generic RPM MySQL-client-5.0.27-0.glibc23.x86_64.rpm (in my previous example above I used the 5.0.27 RHEL4 RPM) and had the same problem.  So the 5.0.27 RHEL4 RPM works, but the generic RPM does not.

I am running RHEL4.  Did I miss some README or install note that I cannot use the generic RPMs on RHEL4?

[2 Mar 2007 10:44] Sveta Smirnova
Thank you for the report.

Verified as described.

32-bit Linux is affected too.
[9 May 2007 9:11] Magnus BlÄudd
The problem is that not all client libraries are built with SSL support.
[10 Jan 2008 20:44] Omer Barnir
Workaround: Using clients from a previous version can address the issue temporarily
[25 Nov 2008 14:15] Joerg Bruehe
Checking the current situation in all 5.0 and 5.1 configurations,
so that we get it right "once and for all".
[28 Nov 2008 9:56] Joerg Bruehe
Result of a test build using the 5.0.72 sources, with yaSSL enforced everywhere:

- The builds fail on all AIX, all HP-UX, and SCO (x86) platforms,
  the i5os machine was not available (but typically is very similar to AIX).
  I have not yet analyzed the failures.

- gcc builds on Linux/x86 and Linux/x86_64 are ok, SSL tests pass
  (as far as RPMs are concerned, this is the initial scope of this bug report).

- icc builds on Linux/x86 and Linux/x86_64 are ok, SSL tests pass.

- icc builds on Linux/ia64 (both tar.gz and RPM) create binaries
  which pass the SSL tests in debug builds (non-optimized),
  but totally fail them when built with optimization.

From this result, it should be possible to enable yaSSL for the x86 and x86_64 RPMs (this bug) and for the icc-generated x86 and x86_64 RPMs.
[28 Nov 2008 18:44] Joerg Bruehe
I have changed the platform definitions in the release build scripts to include yaSSL as described above and just started a test run.
[1 Dec 2008 14:33] Joerg Bruehe
Experiments have shown that including yaSSL works fine in all
"generic" RPMs (not just x86_64, but also x86 and ia64)
as these are built using gcc (it fails with icc builds on ia64).

Also, it works in the icc builds for Linux/x86 and Linux/x86_64
(tar.gz format).

A tool change that ensures yaSSL will be contained in these builds
is currently in review.
[19 Dec 2008 14:01] Joerg Bruehe
Tool patch is pushed and will be used in future release builds:
5.0.76, 5.1.31, and 6.0.10

It affects "generic" RPMs only, but not the static one (doesn't fit).

Also, icc builds won't be changed even where it worked locally in tests,
including yaSSL would risk C++ runtime library dependencies which we cannot handle in tar.gz packages.
[19 Dec 2008 18:27] Paul Dubois
Noted in 5.0.76, 5.1.31, 6.0.10 changelogs.

SSL support was not included in some "generic" RPM packages.