Bug #57888 | OpenSSL vs yaSSL: different behavior of --ssl-ca parameter | ||
---|---|---|---|
Submitted: | 1 Nov 2010 10:21 | Modified: | 5 Dec 2013 10:40 |
Reporter: | Andrii Nikitin | Email Updates: | |
Status: | Can't repeat | Impact on me: | |
Category: | MySQL Server: Documentation | Severity: | S3 (Non-critical) |
Version: | 5.1.51 | OS: | Any |
Assigned to: | Georgi Kodinov | CPU Architecture: | Any |
[1 Nov 2010 10:21]
Andrii Nikitin
[1 Nov 2010 10:22]
Andrii Nikitin
log demonstating that example from manual chapter doesn't work with OpenSSL
Attachment: ssl-ca-test.log (application/octet-stream, text), 14.51 KiB.
[12 Jan 2011 10:01]
Georgi Kodinov
Andrii, I think the documentation is not entirely correct, or, well, not incorrect, but incomplete. Example 1 looks correct as it explicitly uses a single CA key that was generated on step 1 to generate both the server and the client keys. This means that they're signed by one and only CA and this CA can be used to verify them both. Example 2 however doesn't explicitly specify the CA key on the command line, relying probably on certain content in openssl.conf. This is where the differences can be in how openssl and yassl have their defaults set up. So I think this is just a docs incompleteness. I suggest we remove Example 2 from the chapter.
[12 Jan 2011 10:16]
Andrii Nikitin
Georgi, But OpenSSL will not connect with following option in both sections of config file: ssl-ca=/tmp/ca-cert.pem Could you confirm that? In this case Example 1 valid only for yaSSL.
[13 Jan 2011 16:10]
Stefan Hinz
Changing category to Server:General. If it does turn out to be a documentation request please let us know what to add to the docs.
[5 Dec 2013 10:40]
Georgi Kodinov
I've re-tested using the key generation sequence in example 1. I've used a fresh fully updated 64 bit ubuntu 13.10 with openssl 1.0.1e. I've did the following : cd ~/work mkdir bld-mysql-5.6-openssl cd bld-mysql-5.6-openssl cmake -DWITH_DEBUG=1 -DWITH_SSL=/usr /media/sf_work/mysql-5.6 make -j4 cd mysql-test mkdir ssl cd ssl <follow the example 1 commands verbartim>. use "localhost" for the common name of the server cert, "CA cert" for the common name of the CA cert and "client" for the common name of the client cert when prompted> cd .. ./mysql-test-run.pl --manual-gdb 1st <ctrl-C> then edited /home/gkodinov/work/bld-5.6-openssl/mysql-test/var/my.cnf to have in [client.1] and [client] : ssl-ca=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/ca-cert.pem ssl-key=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/client-key.pem ssl-cert=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/client-cert.pem and in [mysqld.1]: ssl-ca=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/ca-cert.pem ssl-key=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/server-key.pem ssl-cert=/home/gkodinov/work/bld-5.6-openssl/mysql-test/ssl/newcerts/server-cert.pem Now I've started the server with the same arguments as in /home/gkodinov/work/bld-5.6-openssl/mysql-test/var/tmp/gdbinit.mysqld.1 : ../sql/mysqld --defaults-group-suffix=.1 --defaults-file=/home/gkodinov/work/bld-5.6-openssl/mysql-test/var/my.cnf --log-output=file --gdb --loose-debug-sync-timeout=600 --default-storage-engine=MyISAM --default-tmp-storage-engine=MyISAM --loose-skip-log-bin --core-file then, in another terminal I've started mysql as follows : ../client/mysql --defaults-group-suffix=.1 --defaults-file=/home/gkodinov/work/bld-5.6-openssl/mysql-test/var/my.cnf test -u root --ssl-verify-server-cert I've got it to connect just fine : mysql> \s -------------- ../client/mysql Ver 14.14 Distrib 5.6.16, for Linux (x86_64) using EditLine wrapper Connection id: 2 Current database: test Current user: root@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 5.6.16-debug-log Source distribution Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: latin1 Db characterset: latin1 Client characterset: latin1 Conn. characterset: latin1 UNIX socket: /home/gkodinov/work/bld-5.6-openssl/mysql-test/var/tmp/mysqld.1.sock Uptime: 4 min 27 sec Threads: 1 Questions: 14 Slow queries: 0 Opens: 70 Flush tables: 1 Open tables: 63 Queries per second avg: 0.052 Then I've verified that mysqld is linked with ssl : gkodinov@ubuntu-vm:~/work/bld-5.6-openssl/mysql-test$ ldd ../sql/mysqld linux-vdso.so.1 => (0x00007fff0f7ed000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007ff225218000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff225014000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007ff224df6000) libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007ff224af2000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007ff2247ee000) libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007ff2245d7000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff22420f000) /lib64/ld-linux-x86-64.so.2 (0x00007ff225468000) So can't repeat with 5.6 please re-open with more detailed instructions on how to reproduce.