Bug #59630 SSL CA File is not checked
Submitted: 20 Jan 2011 12:42 Modified: 28 Mar 2011 23:14
Reporter: Daniël van Eeden Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Errors Severity:S2 (Serious)
Version:5.1.50, 5.5.8, 5.0 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL

[20 Jan 2011 12:42] Daniël van Eeden
When the ssl-ca for mysqld is set to an incorrect path then mysqld will startup without error.

The client has a valid ssl-ca setting.

Then client SSL connections will fail with the following error:
"ERROR 2026 (HY000): SSL connection error"

Using wireshark the TLS 1.0 error can be found: "Unknown CA (48)"

From a strace (path replaced for privacy):
open("/path/to/ca-cert.pm", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

How to repeat:
Set ssl-ca to an invalid path for the server and a valid path for the client

Try to connect using SSL.

Suggested fix:
Check if ssl-ca file is readable on startup and log an error if that's not the case.
[3 Mar 2011 19:17] Kristofer Pettersson
I'm looking at this.
[28 Mar 2011 23:14] Sveta Smirnova
Thank you for the report.

Verified as described.
[24 Apr 2017 22:18] Daniël van Eeden
With 5.7.18 this happens if you remove/rename data/ca.pem

2017-04-24T22:16:06.191791Z 0 [Warning] Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key

Not the best error message, but the behaviour is better