Bug #66883 Key-less SSL connections not possible
Submitted: 19 Sep 2012 23:11 Modified: 18 Jan 2013 18:01
Reporter: Alfredo Kojima Email Updates:
Status: No Feedback Impact on me:
None 
Category:Connector / C++ Severity:S3 (Non-critical)
Version:1.1.1 OS:Any
Assigned to: CPU Architecture:Any

[19 Sep 2012 23:11] Alfredo Kojima 
Description:
It is not possible to open a SSL connection without a certificate/key.

To do that, mysql_ssl_set must be called with an empty string as the 1st param, which is impossible to do with Conn/C++, even if the sslKey option is passed with an empty string as a param.

How to repeat:
See bug #61266 for instructions on how to setup an account that requires SSL but not a certificate.
Connect using mysql -u<user> --ssl-key=

$ mysql -ussl 
ERROR 1045 (28000): Access denied for user 'ssl'@'localhost' (using password: NO)

$ mysql -ussl  --ssl-key=
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 86
Server version: 5.5.15-log MySQL Community Server (GPL)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show status like 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+
1 row in set (0.04 sec)

mysql> select ssl_type from mysql.user where user='ssl';
+----------+
| ssl_type |
+----------+
| ANY      |
+----------+
1 row in set (0.01 sec)

Suggested fix:
In:

bool
MySQL_NativeConnectionWrapper::ssl_set(const SQLString & key,
								const SQLString & cert,
								const SQLString & ca,
								const SQLString & capath,
								const SQLString & cipher)
{
  return ('\0' != api->ssl_set(mysql, nullIfEmpty(key), nullIfEmpty(cert),
							nullIfEmpty(ca), nullIfEmpty(capath), nullIfEmpty(cipher)));
}

Should be changed to something like:

  return ('\0' != api->ssl_set(mysql, key.c_str(), nullIfEmpty(cert),
							nullIfEmpty(ca), nullIfEmpty(capath), nullIfEmpty(cipher)));
[18 Dec 2012 18:01] Sveta Smirnova 
Thank you for the report.

To which version do you connect in bug #61266?

With 5.5 I get:

[sveta@delly mysql-test]$ ~/src/mysql-5.5/client/mysql -h127.0.0.1 -P13000 -uuser test --ssl --ssl-key= 
SSL error: Unable to get certificate from ''
ERROR 2026 (HY000): SSL connection error: Unable to get certificate

Or:

[sveta@delly mysql-test]$ ~/src/mysql-5.5/client/mysql -h127.0.0.1 -P13000 -uuser test --ssl --ssl-key= --ssl-cert=./std_data/client-cert.pem SSL error: Unable to get private key from ''
ERROR 2026 (HY000): SSL connection error: Unable to get private key
[19 Jan 2013 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".