Description:
Whenever I start the MySQL server with the --ssl-cipher=(specify cipher options here), the MySQL server loses the capability of SSL connections. Generally, I have been putting --ssl-cipher=ALL:-AES:-EXP, but even with --ssl-cipher=ALL, the server still is unable to start with SSL:

mysql> show variables like '%have%';

<SNIP>

| have_ndbcluster                 | NO                                                     | 
| have_openssl                    | DISABLED                                                    | 
| have_ssl                        | DISABLED                                                    | 
| have_query_cache                | YES                                                    | 
| have_raid                       | NO                                                     | 
| have_rtree_keys                 | YES                                                    | 

</SNIP>

However, whenever I start MySQL Server without the --ssl-cipher option, it does start fine and even shows have_openssl and have_ssl with YES, but when I attempt to establish a connection from a MySQL 5.0.40 client, I get ERROR 2026 (HY000): SSL connection error, with no further debugging information.

All other ssl options are specified appropriately with permissions being set accordingly. Namely:

--ssl-ca=/etc/ssl/certs/serverCA.pem
--ssl-key=/etc/ssl/private/serverKey.pem
--ssl-cert=/etc/ssl/certs/serverCert.pem

Are specified either on the command line or in the my.cnf file.

How to repeat:
In the my.cnf file, specify:

[server]
ssl-ca=/path/to/certificateAuthority/cert.pem
ssl-key=/path/to/ssl/key.pem
ssl-cert=/path/to/ssl/cert.pem
ssl-cipher=ALL:-AES:-EXP

Or, on the command line when running mysqld_safe, use the options:

--ssl-ca=/path/to/certificateAuthority/cert.pem --ssl-key=/path/to/ssl/key.pem --ssl-cert=/paht/to/ssl/cert.pem --ssl-cipher=ALL:-AES:-EXP

Thank you for the report.

Verified as described with all versions since 5.0.42. But bug is not repeatable with version 5.0.40 for me.

For verification used next test loadable by our test suite:

$cat ssl_bug28543.test
--source include/have_ssl.inc

connect (ssl_con,localhost,root,,,,,SSL);

# Check ssl turned on
SHOW STATUS LIKE 'ssl%';

$cat ssl_bug28543-master.opt
--ssl-cipher=ALL:-AES:-EXP

The MySQL Server does not support specifying what ciphers to use in a "regex like" fashion like that when it's been compiled with the yaSSL SSL library. I assume you have checked the OpenSSL documentation to find that way to specify what ciphers to use.

It does however support specifying a semicolon separated list of full cipher names eg: "--ssl-cipher=AES128-SHA" or "--ssl-cipher=UNKNOWN:AES128-SHA", where it will select to use the first found cipher in the list. Please try this way to see if it fulfill your needs.

Normally this argument is used on the client side to control what cipher to use when connecting to the server. That is since the server has much more advanced control of what cipher to use by using the GRANT syntax described here http://dev.mysql.com/doc/refman/5.0/en/grant.html you can actually specify what cipher to use on db, table or user level instead of globally for the whole server(although I guess that could also be useful).

Will keep the bug open for now so we can examine the difference of --ssl-cipher when using a MySQL with yaSSl compared to OpenSSL. At least the documentation need to be updated.

Hope this helps for now.

We recently changed the check of returncode from 'SSL_CTX_set_cipher_list' - the function used to pass the ssl-cipher value to the SSL library - as part of BUG#21611.

That change causes the mysqld to turn off SSL if a "ssl-cipher" string that is unknown to the SSL library is used.

Unfortunately the error reporting mechanism in this area is not good and thus no error message indicating the problem is sent to the servers error log.

When mysqld fails to setup SSL it will print an error message to the error log saying:
070821 15:12:29 [Warning] Failed to setup SSL

and then start without SSL support

Removed show stopper flag as there is a workaround that works for all MySQL versions.

There are two different ways to fix this bug:
1. Implement support for all of OpenSSL's different ways of specifying cipher lists in yaSSL.
2. Implement a function that takes a OpenSSL Ciper list string and outputs a yaSSL ciper list that can then be passed to yaSSL if we are using yaSSL.
I would prefer 2) since it's less intrusive on the somewhat lightwight yaSSl library. Of course we can always donate that function to yaSSl for anyone to use if they like.

From: "Timothy Smith"
Subject: Re: Bug #28543 ssl-cipher disables SSL support on server
...
> The problem is that yaSSL doesn't implement the same syntax for
> specifying which ciphers to accept as OpenSSL.  OpenSSL implements a
> very flexible (and complex to implement) syntax for this.  yaSSL
> implements a very simple syntax.
> 
> Implementing the full OpenSSL syntax is something we could add, and
> would very likely be accepted by the yaSSL maintainer for inclusion in
> yaSSL itself.  But it's not something to be done hastily, nor is it
> really very important for usability, IMO.
> 
> We should document the differences (our current documentation matches
> the OpenSSL case), but I think implementing the full OpenSSL syntax
> should be handled as a new feature.  Yes, it's regressive behavior, due
> to changing which library we use.  But the reality of what it'll take to
> fix it, vs. the (I believe) low impact on the user, makes me recommend
> not escalating the bug.

Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

I've updated the description for the --ssl-cipher option to indicate that the option value should be a lit of one or more cipher names, separated by colons. I've also indicated that the full OpenSSL syntax is supported, but for better portability, it's best to stick with the list of cipher names, because that is all that yaSSL supports.