Bug #57648 server feature request - expose SSL certificate details in SHOW GLOBAL STATUS
Submitted: 22 Oct 2010 4:57 Modified: 26 Apr 2011 14:29
Reporter: Andrew Dalgleish Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any
Triage: Triaged: D5 (Feature request)

[22 Oct 2010 4:57] Andrew Dalgleish
Description:
There is no way to remotely check when an SSL certificate is due to expire.

If we expose the certificate expiry date in the SHOW GLOBAL STATUS, we can then check for upcoming expiry dates before they catch us by surprise.

There is a work-around by loading the certificate file into a table using LOAD FILE etc, but this requires a user with FILE privs, and the certificate file must be within the secure-file-priv path.

How to repeat:
n/a
[8 Feb 2011 10:35] Georgi Kodinov
Turned out that the YaSSL implementation is severely lacking in options to parse and return the notBefore and notAfter dates. There's a function to check them against a date, but no way to extract them.
OpenSSL has ASN1_TIME_print() that can be relatively easy to implement, but it requires an implementation of the BIO functions that is also lacking from yaSSL's bundled version.
[26 Apr 2011 14:29] Paul Dubois
Noted in 5.6.3 changelog.

The server now exposes SSL certificate expiration dates through the
Ssl_not_before and Ssl_server_not_after status variables. Both
variables have values in ANSI time format (for example, Sep 12
16:22:06 2013 GMT), or are blank for non-SSL connections.

CHANGESET - http://lists.mysql.com/commits/134117