Bug #39301 GUI Tools ignore SSL-CIPHER
Submitted: 8 Sep 2008 8:25 Modified: 20 Oct 2009 6:26
Reporter: Yuri   Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL GUI Common Severity:S3 (Non-critical)
Version:5.0-r12 OS:Any
Assigned to: CPU Architecture:Any
Tags: Cipher, GUI, SSL

[8 Sep 2008 8:25] Yuri   
Description:
GUI is unusable when there is a limitation on cipher to use.

How to repeat:
Configure MySQL Server with SSL support appropriately (this involves creation of X509 certificates)
[mysqld]
ssl-ca=C:/cacert.pem
ssl-cert=C:/server-cert.pem
ssl-key=C:/server-key.pem

CREATE USER ''@'localhost';
GRANT USAGE ON *.* TO ''@'localhost' REQUIRE CIPHER 'EDH-RSA-DES-CBC3-SHA';

At this point MySQL client should be able successfully connect to MySQL server:

mysql --protocol=tcp --user= --ssl-ca=C:\cacert.pem --ssl-cert=C:\client-cert.pem --ssl-key=C:\client-key.pem --ssl-cipher=EDH-RSA-DES-CBC3-SHA

MySQL GUI Tools connection settings are stored in file %AppData%\MySQL\mysqlx_user_connections.xml
which needs to be updated manually (cf. Bug #31547):
<?xml version="1.0"?>
<user_connections>
<user_connection>
<connection_name>localhost</connection_name>
<hostname>localhost</hostname>
<port>3306</port>
<advanced_options>
<advanced_option>SSL_CA=C:/cacert.pem</advanced_option>
<advanced_option>SSL_CERT=C:/client-cert.pem</advanced_option>
<advanced_option>SSL_KEY=C:/client-key.pem</advanced_option>
<advanced_option>SSL_CIPHER=EDH-RSA-DES-CBC3-SHA</advanced_option>
<advanced_option>USE_SSL=Yes</advanced_option>
</advanced_options>
<connection_type>0</connection_type>
<storage_type>1</storage_type>
<password/>
</user_connection>
</user_connections>

Now any attempt to establish secure connection using MySQL Administator or Query Browser will fail. Error log of MySQL server will contain the explanation:

[Note] X509 ciphers mismatch: should be 'EDH-RSA-DES-CBC3-SHA' but is 'DHE-RSA-AES256-SHA'
[8 Sep 2008 8:26] Yuri   
Sample certificates

Attachment: files.zip (application/x-zip-compressed, text), 6.23 KiB.
[10 Sep 2008 16:23] MySQL Verification Team 
Thank you for the bug report.
[25 Feb 2009 12:31] Mike Lischke 
Just a hint: the SSL options can be set on the Advanced Options tab in the connections editor. So you don't *have* to go directly to the metal (read: xml file).
[20 Oct 2009 6:26] Susanne Ebrecht 
Many thanks for writing a bug report. We are on the way to implement full functionality of
MySQL GUI tools into MySQL Workbench. We won't fix this anymore.

More informations about MySQL Workbench you will find here:

http://dev.mysql.com/workbench/