MySQL Bugs: #69226: Status variable for SSL/TLS implementation

Bug #69226	Status variable for SSL/TLS implementation
Submitted:	14 May 2013 10:31	Modified:	6 Feb 2018 13:52
Reporter:	Daniël van Eeden (OCA)	Email Updates:
Status:	Verified	Impact on me:	None
Category:	MySQL Server: Options	Severity:	S3 (Non-critical)
Version:	5.6.11,5.7.21,8.0.4	OS:	Any
Assigned to:		CPU Architecture:	Any
Tags:	have_ssl, openssl, SSL, tls, yassl

Description:
From Bug #59635

[10 May 2011 13:43] Davi Arnaut

> What is the official way to determine if yassl or openssl is used?

Unfortunately, there isn't one.

How to repeat:
See description

Suggested fix:
Add status variable to check the SSL/TLS implementation which is in use.

Optional:
If the system OpenSSL is used it might be interesting to see the OpenSSL version to be able to check if MySQL was restarted after the last OpenSSL upgrade.

Hello Daniel,

Thank you for the reasonable feature request.

The request for a global variable identifying the SSL library used is entirely appropriate.  There is a workaround, based on the fact that the server defines the "Rsa_public_key" status variables only if yaSSL isn't in use:

#ifndef HAVE_YASSL
  {"Rsa_public_key",           (char*) &show_rsa_public_key, SHOW_FUNC},
#endif

As a result, MySQL Enterprise 5.6.10 (with OpenSSL) has "Rsa_public_key" status variable:

mysql> select version();
+---------------------------------------+
| version()                             |
+---------------------------------------+
| 5.6.10-enterprise-commercial-advanced |
+---------------------------------------+
1 row in set (0.02 sec)

mysql> show status like '%rsa%';
+----------------+-------+
| Variable_name  | Value |
+----------------+-------+
| Rsa_public_key |       |
+----------------+-------+
1 row in set (0.00 sec)

while MySQL Community 5.6.10 does not:

mysql> select version();
+-----------+
| version() |
+-----------+
| 5.6.10    |
+-----------+
1 row in set (0.00 sec)

mysql> show status like '%rsa%';
Empty set (0.00 sec)

But yes, the information about the library used should be explicitly defined in a stand-alone global variable.

Another way to tell if you have OpenSSL: this is present:

mysql> select * from setup_instruments where name like '%CRYPTO_dynlock_value::lock%';
+--------------------------------------------------+---------+-------+
| NAME                                             | ENABLED | TIMED |
+--------------------------------------------------+---------+-------+
| wait/synch/rwlock/sql/CRYPTO_dynlock_value::lock | NO      | NO    |
+--------------------------------------------------+---------+-------+
1 row in set (0.01 sec)

.o0 and if the mysql client binary is built with OpenSSL it'll have another option:

--server-public-key-path=name
 File path to the server public RSA key in PEM format.

This has become a bit more serious with all the Heartbleed,POODLE,CCS and related SSL/TLS bugs.

It should be made possible to check if OpenSSL or YaSSL is used and whether it's linked dynamically or static and which version of the library is used.

SHOW GLOBAL VARIABLES
ssl          Yes/No/Disabled
ssl_library  OpenSSL/YaSSL
ssl_bundled  Yes/No
ssl_version  1.0.0z

Maybe this can be created as a plugin so it also works on older versions if you load the plugin?

From which bug is this a duplicate?

This is duplicate of internally reported BUG 14509418 - NEED MECHANISM TO DETERMINE WHICH SSL LIBRARY IS AVAILABLE

Closed by mistake, sorry. Reopened. -Stefan

An update on the status of the internal feature request that this is a duplicate of: no change in state, it's desirable, just no schedule for what/when to do it yet.

James Day, MySQL Senior Principal Support Engineer, Oracle

updated versions.