Description:
The attached keys and configuration worked with 5.0 up until 5.0.45.  They have
not worked with any releases since and there are no helpful error messages explaining the reason:

mysql
ERROR 2026 (HY000): SSL connection error

How to repeat:
mkdir /tmp/ssltest
cp server.crt /tmp/ssltest
cp server.key /tmp/ssltest
chown -R mysql:mysql /tmp/ssltest

use attached my.cnf file or add these lines to your existing one:
[mysqld]
ssl                         = 1
ssl-ca                      = /dev/null
ssl-cert                    = /tmp/ssltest/server.crt
ssl-key                     = /tmp/ssltest/server.key

[client]
ssl                         = 1
ssl-ca                      = /dev/null
ssl-cert                    = /tmp/ssltest/server.crt
ssl-key                     = /tmp/ssltest/server.key

/etc/init.d/mysql start
mysql 

Suggested fix:
We at least need to know what the problem is and why the keys no longer work.  I hope that we can again make these keys work as they are used for other applications as well.

I created a trace file and attached the relevant portion to the bug report.

relevant portion of a trace file

Attachment: mysqld.trace (application/octet-stream, text), 0 bytes.

trying again...  This is the relevant part of the trace file

Attachment: mysqld.trace (application/octet-stream, text), 4.46 KiB.

It seems we have a incompatibility between yaSSL and OpenSSL with respect to the certificate verification callback.

The certificates are self-signed and are both set on the client and the server without a CA cert. In the client we disable certificate verification if the CA cert (ssl-ca) is not specified but we don't do this on the server side and certificate verification fails as expected (both on yaSSL and OpenSSL) when the server tries to verify the client certificate.

But once the verification fails, OpenSSL calls the verification callback. The MySQL verification callback (vio_verify_callback) approves the certificate if it's depth is 0 (self-signed), this is ugly and buggy stuff but it works so far for MySQL linked with OpenSSL. Unfortunelly yaSSL does not implement the verify callback and the verification fails and the server closes the connection to the client.

In order to fix this we could disable (SSL_VERIFY_NONE) the certificate verification on the server side if no CA cert is specified, but this would somewhat break some OpenSSL scenarios. For example, during the verification it checks whether the certificate is in the list of trusted certificates (in case the admin added the certificate to the list of trusted ones) and approves the certificate if its found there.

I think the best option for now is to make our hack of the verify callback work. I'm going to e-mail the yaSSL guys and ask what they think about it.

SSL shouldn't work if CA is not specified, or should turn off verification entirely. There's no point having keys and certificates if they are not verified. 

So, this is either "not a bug", or "feature request" (for VERIFY_NONE).

Is this a bug or misconfiguration?  I'm not sure if the intention is to use client certificates or not.  If client certificates are not needed, shouldn't the config be as:

[mysqld]
ssl-key = server.key
ssl-cert = server.crt
# no ssl-ca set

[client]
ssl = 1
ssl-ca = server.crt

If same key/cert is expected to be used both client and server (sic), shouldn't the config for both mysqld and client be changed to have ssl-ca = server.crt instead of /dev/null?

As Tomas rightly appoints and in the light of Bug#47320, a self-signed certificate should always be indicated as trusted. Pointing --ssl-ca to the self-signed certificate effectively sets the certificate as a trusted one. Closing as not a bug.