Bug #57888 OpenSSL vs yaSSL: different behavior of --ssl-ca parameter
Submitted: 1 Nov 2010 10:21 Modified: 5 Dec 2013 10:40
Reporter: Andrii Nikitin Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:5.1.51 OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any

[1 Nov 2010 10:21] Andrii Nikitin 
Description:
http://dev.mysql.com/doc/refman/5.1/en/secure-create-certs.html

Link above describes how to set up test SSL connection with verification of self-signed certificates.

yaSSL library works as expected and makes SSL connection with following params:

[mysqld]
ssl-ca=/tmp/ca-cert.pem
ssl-key=/tmp/server-key.pem
ssl-cert=/tmp/server-cert.pem

[client]
ssl-ca=/tmp/ca-cert.pem
ssl-key=/tmp/client-key.pem
ssl-cert=/tmp/client-cert.pem

But OpenSSL version doesn't work with configuration above, and accepts only following (only ssl-ca parameter is different for both server and client):

[mysqld]
ssl-ca=/tmp/client-cert.pem
ssl-key=/tmp/server-key.pem
ssl-cert=/tmp/server-cert.pem

[client]
ssl-ca=/tmp/server-cert.pem
ssl-key=/tmp/client-key.pem
ssl-cert=/tmp/client-cert.pem

Problem is also reproduced with at least following distribution:
mysql-server-5.0.77-4.el5_5.3.x86_64.rpm

How to repeat:
1. Build recent mysqld with OpenSSL support
2. Set up SSL certificates as described at:

http://dev.mysql.com/doc/refman/5.1/en/secure-create-certs.html

rm -rf newcerts
mkdir newcerts && cd newcerts

# Create CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 1000 \
-key ca-key.pem > ca-cert.pem

# Create server certificate
openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout server-key.pem > server-req.pem

openssl x509 -req -in server-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

# Create client certificate
openssl req -newkey rsa:2048 -days 1000 \
-nodes -keyout client-key.pem > client-req.pem

openssl x509 -req -in client-req.pem -days 1000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

3. Try my.cnf settings suggested by docs - mysql will not connect:

[mysqld]
ssl-ca=/tmp/ca-cert.pem
ssl-key=/tmp/server-key.pem
ssl-cert=/tmp/server-cert.pem

[client]
ssl-ca=/tmp/ca-cert.pem
ssl-key=/tmp/client-key.pem
ssl-cert=/tmp/client-cert.pem

4. Change "ssl-ca" parameter as shown below:
[mysqld]
ssl-ca=/tmp/client-cert.pem
...

[client]
ssl-ca=/tmp/server-cert.pem
...

5. Client now able to connect properly and status shows that SSL connection active.

Suggested fix:
I am not sure which configuration is "more correct", probably OpenSSL library is "too strict". In any case this should be investigated by developers and fixed or mentioned in documentation.
[1 Nov 2010 10:22] Andrii Nikitin 
log demonstating that example from manual chapter doesn't work with OpenSSL

Attachment: ssl-ca-test.log (application/octet-stream, text), 14.51 KiB.
[12 Jan 2011 10:01] Georgi Kodinov 
Andrii,

I think the documentation is not entirely correct, or, well, not incorrect, but incomplete. 

Example 1 looks correct as it explicitly uses a single CA key that was generated on step 1 to generate both the server and the client keys. This means that they're signed by one and only CA and this CA can be used to verify them both.

Example 2 however doesn't explicitly specify the CA key on the command line, relying probably on certain content in openssl.conf. This is where the differences can be in how openssl and yassl have their defaults set up.
So I think this is just a docs incompleteness.
I suggest we remove Example 2 from the chapter.
[12 Jan 2011 10:16] Andrii Nikitin 
Georgi,

But OpenSSL will not connect with following option in both sections of config file:
ssl-ca=/tmp/ca-cert.pem

Could you confirm that? In this case Example 1 valid only for yaSSL.
[13 Jan 2011 16:10] Stefan Hinz 
Changing category to Server:General. If it does turn out to be a documentation request please let us know what to add to the docs.
[5 Dec 2013 10:40] Georgi Kodinov 
I've re-tested using the key generation sequence in example 1.
I've used a fresh fully updated 64 bit ubuntu 13.10 with openssl 1.0.1e.
I've did the following : 
cd ~/work
mkdir bld-mysql-5.6-openssl
cd bld-mysql-5.6-openssl
cmake -DWITH_DEBUG=1 -DWITH_SSL=/usr /media/sf_work/mysql-5.6
make -j4
cd mysql-test
mkdir ssl
cd ssl

<follow the example 1 commands verbartim>. use "localhost" for the common name of the server cert, "CA cert" for the common name of the CA cert and "client" for the common name of the client cert when prompted>

cd ..

./mysql-test-run.pl --manual-gdb 1st

<ctrl-C>

then edited /home/gkodinov/work/bld-5.6-openssl/mysql-test/var/my.cnf to have in [client.1] and [client] : 

ssl-ca=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/ca-cert.pem
ssl-key=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/client-key.pem
ssl-cert=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/client-cert.pem

and in [mysqld.1]:

ssl-ca=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/ca-cert.pem
ssl-key=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/server-key.pem
ssl-cert=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/server-cert.pem

Now I've started the server with the same arguments as in /home/gkodinov/work/bld-5.6-openssl/mysql-test/var/tmp/gdbinit.mysqld.1 : 

../sql/mysqld --defaults-group-suffix=.1 --defaults-file=/home/gkodinov/work/bld-5.6-openssl/mysql-test/var/my.cnf --log-output=file --gdb --loose-debug-sync-timeout=600 --default-storage-engine=MyISAM --default-tmp-storage-engine=MyISAM --loose-skip-log-bin --core-file

then, in another terminal I've started mysql as follows : 
../client/mysql --defaults-group-suffix=.1 --defaults-file=/home/gkodinov/work/bld-5.6-openssl/mysql-test/var/my.cnf test -u root --ssl-verify-server-cert

I've got it to connect just fine : 

mysql> \s
--------------
../client/mysql  Ver 14.14 Distrib 5.6.16, for Linux (x86_64) using  EditLine wrapper

Connection id:		2
Current database:	test
Current user:		root@localhost
SSL:			Cipher in use is DHE-RSA-AES256-SHA
Current pager:		stdout
Using outfile:		''
Using delimiter:	;
Server version:		5.6.16-debug-log Source distribution
Protocol version:	10
Connection:		Localhost via UNIX socket
Server characterset:	latin1
Db     characterset:	latin1
Client characterset:	latin1
Conn.  characterset:	latin1
UNIX socket:		/home/gkodinov/work/bld-5.6-openssl/mysql-test/var/tmp/mysqld.1.sock
Uptime:			4 min 27 sec

Threads: 1  Questions: 14  Slow queries: 0  Opens: 70  Flush tables: 1  Open tables: 63  Queries per second avg: 0.052

Then I've verified that mysqld is linked with ssl : 
gkodinov@ubuntu-vm:~/work/bld-5.6-openssl/mysql-test$ ldd ../sql/mysqld 
	linux-vdso.so.1 =>  (0x00007fff0f7ed000)
	libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007ff225218000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff225014000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff224df6000)
	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007ff224af2000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff2247ee000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007ff2245d7000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff22420f000)
	/lib64/ld-linux-x86-64.so.2 (0x00007ff225468000)

So can't repeat with 5.6 please re-open with more detailed instructions on how to reproduce.