Bug #59635 SSL Status variables not correct
Submitted: 20 Jan 2011 14:09 Modified: 9 May 2011 14:07
Reporter: Daniël van Eeden Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.5.8, 5.0.92, 5.1.57, 5.6.3 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL
Triage: Needs Triage: D3 (Medium)

[20 Jan 2011 14:09] Daniël van Eeden
Description:
The Ssl_accepts in "SHOW GLOBAL STATUS" has value 0, even when using SSL connections.

There are more status variables for which I don't expect a zero value when using SSL like Ssl_client_connects

The status variables are documented here:
http://dev.mysql.com/doc/refman/5.5/en/server-status-variables.html

The documentation for some variables like Ssl_verify_mode is not really helpfull.

And the documentation for Ssl_version doesn't state that it's not only the version, but also the protocol (e.g. 'TLSv1')

How to repeat:
mysql> \s
<truncated>
SSL:			Cipher in use is DHE-RSA-AES256-SHA
<truncated>

mysql> SHOW GLOBAL STATUS LIKE 'Ssl_%';
+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Variable_name                  | Value                                                                                                                                                                                                                                       |
+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Ssl_accept_renegotiates        | 0                                                                                                                                                                                                                                           |
| Ssl_accepts                    | 0                                                                                                                                                                                                                                           |
| Ssl_callback_cache_hits        | 0                                                                                                                                                                                                                                           |
| Ssl_cipher                     | DHE-RSA-AES256-SHA                                                                                                                                                                                                                          |
| Ssl_cipher_list                | DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:AES128-SHA:AES256-RMD:AES128-RMD:DES-CBC3-RMD:DHE-RSA-AES256-RMD:DHE-RSA-AES128-RMD:DHE-RSA-DES-CBC3-RMD:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA |
| Ssl_client_connects            | 0                                                                                                                                                                                                                                           |
| Ssl_connect_renegotiates       | 0                                                                                                                                                                                                                                           |
| Ssl_ctx_verify_depth           | 0                                                                                                                                                                                                                                           |
| Ssl_ctx_verify_mode            | 0                                                                                                                                                                                                                                           |
| Ssl_default_timeout            | 500                                                                                                                                                                                                                                         |
| Ssl_finished_accepts           | 0                                                                                                                                                                                                                                           |
| Ssl_finished_connects          | 0                                                                                                                                                                                                                                           |
| Ssl_session_cache_hits         | 0                                                                                                                                                                                                                                           |
| Ssl_session_cache_misses       | 0                                                                                                                                                                                                                                           |
| Ssl_session_cache_mode         | Unknown                                                                                                                                                                                                                                     |
| Ssl_session_cache_overflows    | 0                                                                                                                                                                                                                                           |
| Ssl_session_cache_size         | 0                                                                                                                                                                                                                                           |
| Ssl_session_cache_timeouts     | 0                                                                                                                                                                                                                                           |
| Ssl_sessions_reused            | 0                                                                                                                                                                                                                                           |
| Ssl_used_session_cache_entries | 0                                                                                                                                                                                                                                           |
| Ssl_verify_depth               | 0                                                                                                                                                                                                                                           |
| Ssl_verify_mode                | 0                                                                                                                                                                                                                                           |
| Ssl_version                    | TLSv1                                                                                                                                                                                                                                       |
+--------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
23 rows in set (0.00 sec)

Suggested fix:
- Check if the values are correct and fix if it's not. 
- Update documentation
[28 Mar 2011 22:33] Sveta Smirnova
Thank you for the report.

Verified as described.
[9 May 2011 8:46] Daniël van Eeden
I think this is partly fixed by http://lists.mysql.com/commits/132818 from Bug #52596

This doesn't seem to be a complete fix.
[9 May 2011 11:15] Davi Arnaut
yaSSL does not support _various_ counters/statuses that OpenSSL has. Use OpenSSL if you want these...
[9 May 2011 11:27] Daniël van Eeden
This is using OpenSSL.

If a status variable is not supported it should be an empty string instead of the value 0.
[9 May 2011 11:33] Davi Arnaut
> This is using OpenSSL.

SSL_accepts is taken from OpenSSL's SSL_CTX_sess_accept() function, which is documented to "return the number of started SSL/TLS handshakes in server mode". Could you double check if the server is linked with OpenSSL and that there are actually started SSL connections?

> If a status variable is not supported it should be an empty string instead of the value 0.

No, because the value needs to match the type of the status variable. The type of this status variable is integer, not a string. This is long established behavior.
[9 May 2011 11:36] Davi Arnaut
> And the documentation for Ssl_version doesn't state that it's not only the version,
> but also the protocol (e.g. 'TLSv1')

The documentation is wrong. SSL_get_version() is used for this, which returns "the protocol version of a connection."
[9 May 2011 12:09] Daniël van Eeden
Output for MySQL 5.6

Attachment: mysql5.6_ssl.txt (text/plain), 9.71 KiB.

[9 May 2011 12:13] Daniël van Eeden
Created Bug #61098 for the documentation issue with Ssl_version.
[9 May 2011 12:14] Davi Arnaut
> Server version: 5.6.3-m5 MySQL Community Server (GPL)

Our binaries are compiled with yaSSL.

> have_openssl | YES

have_openssl is just an alias for have_ssl.
[9 May 2011 12:49] Daniël van Eeden
SSL 5.6 replication

Attachment: mysql5.6_ssl_rep.txt (text/plain), 13.79 KiB.

[9 May 2011 13:52] Daniël van Eeden
MySQL 5.6 -DWITH_SSL=system

Attachment: mysql5.6_ssl_openssl.txt (text/plain), 11.74 KiB.

[9 May 2011 13:55] Daniël van Eeden
If have_openssl=Yes while openssl is not support this is at least confusing. What is the official way to determine if yassl or openssl is used?

MySQL compiled with -DWITH_SSL=system then the variables seem to be correct.
[9 May 2011 14:07] Daniël van Eeden
The Ssl_default_timeout is very different between YaSSL and OpenSSL. Is this something that needs to be configured?
[10 May 2011 13:43] Davi Arnaut
> What is the official way to determine if yassl or openssl is used?

Unfortunately, there isn't one.

> The Ssl_default_timeout is very different between YaSSL and OpenSSL.
> Is this something that needs to be configured?

If you want a specific session timeout, yes.
[14 May 2013 9:47] Laurynas Biveinis
Is this a duplicate of bug 20040?
[14 May 2013 10:27] Daniël van Eeden
> Is this a duplicate of bug 20040?
I believe it is.