Bug #60765 no support for intermediate CA and mandatory ca verification on client
Submitted: 5 Apr 2011 23:29 Modified: 25 Apr 2012 11:51
Reporter: Jan Ksta Email Updates:
Status: No Feedback Impact on me:
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.5.10 OS:Any
Assigned to: CPU Architecture:Any

[5 Apr 2011 23:29] Jan Ksta
Server version 5.5.10 yassl does not support intermediate ca to push to clients for verifying using their ca. Almost every ssl enabled software has this option - apache, exim, courier etc.

Also mysql client has mandatory server crt verification. Using only --switch, without -ssl-ca does not enable ssl connection at all.

because of these two bugsm server administrator has to actualy distrubute ca used for server crt using other channels! Thats not right.

How to repeat:
[6 Apr 2011 17:29] Jan Ksta
client and server compiled against openssl when using --ssl-ca=/dev/null does support intermediate ca from server and for some reason does not perform common name check. --host can be IP adress and verification of crt will not fail, while it fails when using yaSSL. Common name verification should not be mandatory (additional switch for command line)
[24 Feb 2012 8:23] Georgi Kodinov
Hello, can you please provide examples of the problems you describe ?
[26 Apr 2012 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".