Bug #53547 ODBC connector does not work with SSL connections
Submitted: 10 May 2010 20:27 Modified: 8 Nov 2011 9:30
Reporter: Justin Baugh Email Updates:
Status: Verified Impact on me:
None 
Category:Connector / ODBC Severity:S2 (Serious)
Version:5.1.6 OS:Mac OS X (10.6.3)
Assigned to: Bogdan Degtyariov CPU Architecture:Any
Tags: odbc osx

[10 May 2010 20:27] Justin Baugh 
Description:
The ODBC connector does not seem to work with SSL. Any configuration of SSL using either the ODBC Administrator in OS X or the command line utility results in the following output from the diagnostic panel when you click "Test":

[MySQL][ODBC 5.1 Driver]SSL connection error

Command line using the same certificate works as expected:

[aisling:~]$ mysql5 --ssl --ssl-ca ~/path-to-ca.pem -h hostname -u username -pseekrit
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 59
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \s
--------------
mysql5  Ver 14.14 Distrib 5.1.45, for apple-darwin10.3.0 (i386) using readline 6.1

Connection id:		59
Current database:	
Current user:		username@host
SSL:			Cipher in use is DHE-RSA-AES256-SHA

How to repeat:
I tried the following to create a new DSN:

myodbc-installer -s -a -n 'test' -t "DRIVER=MySQL ODBC 5.1 Driver;SERVER=<server>;DATABASE=<db>;UID=<uid>;PWD=<pwd>;SSLCA=/Users/username/path-to-ca.pem;SSLVERIFY=0"

myodbc-installer -s -a -n 'test' -t "DRIVER=MySQL ODBC 5.1 Driver;SERVER=<server>;DATABASE=<db>;UID=<uid>;PWD=<pwd>;SSLCA=/Users/username/path-to-ca.pem;SSLVERIFY=1"

myodbc-installer -s -a -n 'test' -t "DRIVER=MySQL ODBC 5.1 Driver;SERVER=<server>;DATABASE=<db>;UID=<uid>;PWD=<pwd>;SSLCA=/tmp/path-to-ca.pem;SSLVERIFY=0"

myodbc-installer -s -a -n 'test' -t "DRIVER=MySQL ODBC 5.1 Driver;SERVER=<server>;DATABASE=<db>;UID=<uid>;PWD=<pwd>;SSLCA=/tmp/path-to-ca.pem;SSLVERIFY=1"

In all cases I verified that the CA certificate is readable by all users.
[6 Apr 2011 3:01] Eric Light 
We're seeing identical behaviour on Windows 7 here.
[16 Jun 2011 18:34] brad barden 
I can confirm that this is a problem on Windows XP as well.

The ONLY way I've been able to get ssl working with Connector/ODBC is with a client key and cert, and the client cert must be signed by the same CA as the server's certificate.

Neither of these are appropriate. A client should not be required to provide a key/certificate pair at all. If they are provided, they could be signed by any CA in the world (or none), it's up to the server to determine if a client's certificate is vaild.
[8 Nov 2011 9:30] Bogdan Degtyariov 
The new version 5.1.9 is working fine in Windows 7 (see the screenshot below).
MacOS X fails, setting the "Verified" status.
[8 Nov 2011 9:33] Bogdan Degtyariov 
Screenshot of SSL test connection in Windows 7

Attachment: ssl_test.JPG (image/jpeg, text), 67.20 KiB.