Bug #37528 | ssl key/cert pair stopped working after 5.0.45-community | ||
---|---|---|---|
Submitted: | 19 Jun 2008 17:16 | Modified: | 3 Feb 2010 11:49 |
Reporter: | Matthew Lord | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: General | Severity: | S2 (Serious) |
Version: | 5.0.62 | OS: | Any |
Assigned to: | Davi Arnaut | CPU Architecture: | Any |
Tags: | SSL |
[19 Jun 2008 17:16]
Matthew Lord
[15 Jul 2008 18:34]
Matthew Lord
I created a trace file and attached the relevant portion to the bug report.
[15 Jul 2008 18:35]
Matthew Lord
relevant portion of a trace file
Attachment: mysqld.trace (application/octet-stream, text), 0 bytes.
[15 Jul 2008 18:40]
Matthew Lord
trying again... This is the relevant part of the trace file
Attachment: mysqld.trace (application/octet-stream, text), 4.46 KiB.
[4 Aug 2008 12:34]
Davi Arnaut
It seems we have a incompatibility between yaSSL and OpenSSL with respect to the certificate verification callback. The certificates are self-signed and are both set on the client and the server without a CA cert. In the client we disable certificate verification if the CA cert (ssl-ca) is not specified but we don't do this on the server side and certificate verification fails as expected (both on yaSSL and OpenSSL) when the server tries to verify the client certificate. But once the verification fails, OpenSSL calls the verification callback. The MySQL verification callback (vio_verify_callback) approves the certificate if it's depth is 0 (self-signed), this is ugly and buggy stuff but it works so far for MySQL linked with OpenSSL. Unfortunelly yaSSL does not implement the verify callback and the verification fails and the server closes the connection to the client. In order to fix this we could disable (SSL_VERIFY_NONE) the certificate verification on the server side if no CA cert is specified, but this would somewhat break some OpenSSL scenarios. For example, during the verification it checks whether the certificate is in the list of trusted certificates (in case the admin added the certificate to the list of trusted ones) and approves the certificate if its found there. I think the best option for now is to make our hack of the verify callback work. I'm going to e-mail the yaSSL guys and ask what they think about it.
[23 Sep 2009 7:22]
Domas Mituzas
SSL shouldn't work if CA is not specified, or should turn off verification entirely. There's no point having keys and certificates if they are not verified. So, this is either "not a bug", or "feature request" (for VERIFY_NONE).
[27 Nov 2009 15:52]
Tomas Hoger
Is this a bug or misconfiguration? I'm not sure if the intention is to use client certificates or not. If client certificates are not needed, shouldn't the config be as: [mysqld] ssl-key = server.key ssl-cert = server.crt # no ssl-ca set [client] ssl = 1 ssl-ca = server.crt If same key/cert is expected to be used both client and server (sic), shouldn't the config for both mysqld and client be changed to have ssl-ca = server.crt instead of /dev/null?
[3 Feb 2010 11:49]
Davi Arnaut
As Tomas rightly appoints and in the light of Bug#47320, a self-signed certificate should always be indicated as trusted. Pointing --ssl-ca to the self-signed certificate effectively sets the certificate as a trusted one. Closing as not a bug.