MySQL Bugs: #673: MySQL 4.0.13 no SSL connection with mysql client possible

Bug #673	MySQL 4.0.13 no SSL connection with mysql client possible
Submitted:	18 Jun 2003 6:56	Modified:	26 Jun 2003 0:50
Reporter:	[ name withheld ]	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server	Severity:	S2 (Serious)
Version:	4.0.13	OS:	Linux (Gentoo Linux 1.4 rc 4)
Assigned to:	Sergei Glukhov	CPU Architecture:	Any

Description:
When trying to connect to a SSL secured MySQL server (version 4.0.13) with the

mysql client, I get the message "ERROR 2026: SSL CONNECTION ERROR". strace given't

any usefull output, no error message in mysql.log. When using version 4.0.12 no 
problems with client ssl connection. Here my my.cnf file: 
 
[client] 
host=localhost 
port=3306 
user=******* 
password=******** 
socket=/var/run/mysqld/mysqld.sock 
ssl-cert=/etc/mysql/server.crt 
ssl-key=/etc/mysql/server.key 
 
[safe_mysqld] 
err-log=/var/log/mysql/mysql.err 
 
[mysqld] 
skip-innodb 
user=mysql 
pid-file=/var/run/mysqld/mysqld.pid 
socket=/var/run/mysqld/mysqld.sock 
bind-address=127.0.0.1 
port=3306 
log=/var/log/mysql/mysql.log 
basedir=/usr 
datadir=/home/mysql 
tmpdir=/tmp 
language=/usr/share/mysql/german 
skip-locking 
server-id=1 
set-variable=key_buffer=16M 
set-variable=max_allowed_packet=1M 
set-variable=thread_stack=128K 
ssl-cert=/etc/mysql/server.crt 
ssl-key=/etc/mysql/server.key 
 
[mysqldump] 
quick 
set-variable=max_allowed_packet=1M 
 
[mysql] 
no-auto-rehash 
 
[isamchk] 
set-variable=key_buffer=16M 
set-variable=sort_buffer=16M 
 
[myisamchk] 
set-variable=key_buffer=16M 
set-variable=sort_buffer=16m 
 
[mysqlhotcopy] 
interactive-timeout

I use OpenSSL version 0.9.6j. Trying 0.9.7 on weekend

How to repeat:
- Install OpenSSL 0.9.6j
- Install MySQL 4.0.13 on Linux
- Create selfsigning SSL certificates without passphrase
- Edit my.cnf (like above)
- Type mysql

Suggested fix:
- SSL availablitiy like version 4.0.12 (backwards compatibility when the authentification process is different between 4.0.12 and 4.0.13)

I have verified this on an other OS.

Why is this marked as a Feature request?
it is not a feature request, it is actually a bug as it seems you cannot connect using SSL to a 4.0.13 server at all in this.

Right it is a bug.

I agree this is a bug.  I do not understand this bug SW and find it hard to use and I can not update a change in status.  I want to know from the developer if this was intended beharvoir.  I know that backwards compatibilty can not always be maintained.  I want to know if this was intened!

Then it is important to know to create the certificates for MySQL, because the way in the 
documentation produces the same error. Furthermore not all MySQL Products are SSL 
compatible, e.g. MySQL-CC haven't this feature, yet.

I had the same problem. However, it explicitly says in the instructions not to use the same certificate for both the client and the server. Initially, I did this just to see if it would work and I received the same error message that you did. I then tried it with a separate client cert and then it worked fine. i.e. I created a self-signed CA certificate, and separate server and client certificates, both signed with the CA certificate.

IMHO, a client certificate should not be required at all. IMHO, only a server certificate should be required. For example, I would like to use SSL for encryption, and I want to use SSL server authentication, but not SSL client authentication (i.e. the same way it works for an e-commerce Web site such as amazon.com). I want to use password authentication for the client because client certificates are more difficult to manage. SSL client authentication should be available but not required.

You don't have your configuration file set correctly. See the following document.

http://www.mysql.com/doc/en/Secure_Create_Certs.html

The bug is fixed in bk tree

Thanks for fixing that bug, so quickly.