Bug #71271 MySQL fails to load PKCS#8 private key with YaSSL
Submitted: 2 Jan 2014 11:51 Modified: 29 Dec 2017 20:50
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.5.30, 5.6.15, 5.7.20, 8.0.3 OS:Any
Assigned to: CPU Architecture:Any
Tags: pkcs, private key, SSL, tls
Triage: Needs Triage: D2 (Serious)

[2 Jan 2014 11:51] Daniël van Eeden
Description:
A private key can be in PKCS#1 or PKCS#8 format.

The PKCS#1 format can be recognized as it starts with
-----BEGIN RSA PRIVATE KEY-----

The PKCS#8 format can be recognized as it starts with
-----BEGIN PRIVATE KEY-----

MySQL accepts keys in PKCS#1 format, but fails to load keys in PKCS#8 format.

How to repeat:
Create a PKCS#8 private key and set ssl-ca, ssl-cert and ss-key. Then restart MySQL.

SSL error: Unable to get private key from '/etc/mysql/server-key-pkcs8.pem'
140102 11:57:25 [Warning] Failed to setup SSL
140102 11:57:25 [Warning] SSL error: Unable to get private key

Suggested fix:
Make sure MySQL can load PKCS#8 private keys or generates a clear error.

It should not be too hard as OpenSSL should support PKCS#8 transparently. I'm not sure if YaSSL also does this.

The workaround it to make the key look like a PKCS#1 key:
sed -i 's/PRIVATE KEY/RSA PRIVATE KEY/g' server-key.pem
[2 Jan 2014 17:35] Daniël van Eeden
To convert from PKCS#8 to PKCS#1:
openssl rsa -in server-key-pkcs8.pem -out server-key-pkcs1.pem

To convert from PKCS#1 to PKCS#8:
openssl pkcs8 -topk8 -nocrypt -in server-key-pkcs1.pem -out server-key-pkcs8.pem

And YaSSL claims to support PKCS#8:
-----------------------
4.3.7.2 PKCS #8

PKCS #8 is designed as the Private-Key Information Syntax Standard, which is used to store private key information - including a private key for some public-key algorithm and set of attributes.  

The PKCS #8 standard has two versions which describe the syntax to store both encrypted private keys and non-encrypted keys. CyaSSL supports both non-encrypted and encrypted PKCS #8. Supported formats include PKCS #5 version 1 - version 2, and PKCS#12. Types of encryption available include DES, 3DES, RC4, and AES.

PKCS#8:  http://tools.ietf.org/html/rfc5208
-----------------------
Source: http://www.yassl.com/yaSSL/Docs-cyassl-manual-4-features.html
[27 Jan 2014 20:20] Sveta Smirnova
Thank you for the report.

I can not repeat described behavior with current development versions of both 5.5 and 5.6 branches, so closing as "Can't repeat". Please upgrade.
[28 Jan 2014 20:17] Daniël van Eeden
5.6.14 Enterprise: Works
5.6.15 Community: Does not work.

dveeden@daniel-thinkpad:~/sandboxes$ egrep '^ssl' {msb_5_6_14-enterprise,msb_5_6_15}/my.sandbox.cnf
msb_5_6_14-enterprise/my.sandbox.cnf:ssl-ca = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/CAcert.pem
msb_5_6_14-enterprise/my.sandbox.cnf:ssl-cert = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-cert.pem
msb_5_6_14-enterprise/my.sandbox.cnf:ssl-key = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem
msb_5_6_15/my.sandbox.cnf:ssl-ca = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/CAcert.pem
msb_5_6_15/my.sandbox.cnf:ssl-cert = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-cert.pem
msb_5_6_15/my.sandbox.cnf:ssl-key = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem

dveeden@daniel-thinkpad:~/sandboxes$ grep "BEGIN" {msb_5_6_14-enterprise,msb_5_6_15}/ssl/server-key*.pem
msb_5_6_14-enterprise/ssl/server-key.pem:-----BEGIN RSA PRIVATE KEY-----
msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem:-----BEGIN PRIVATE KEY-----
msb_5_6_15/ssl/server-key.pem:-----BEGIN RSA PRIVATE KEY-----
msb_5_6_15/ssl/server-key-pkcs8.pem:-----BEGIN PRIVATE KEY-----

Messages from 5.6.15:
SSL error: Unable to get private key from '/home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem'
2014-01-28 20:59:48 14084 [Warning] Failed to setup SSL
2014-01-28 20:59:48 14084 [Warning] SSL error: Unable to get private key
[28 Jan 2014 20:19] Daniël van Eeden
Example SSL certs

Attachment: ssl.tar.bz2 (application/x-bzip, text), 4.20 KiB.

[28 Jan 2014 21:32] Daniël van Eeden
5.6.15 compiled with "-DWITH_SSL=system": Works.

So:
5.5.30 C YaSSL: Doesn't work
5.6.14 E OpenSSL 1.0.1d (static): works
5.6.15 C YaSSL: Doesn't work
5.6.15 C OpenSSL 1.0.1c (dynamic): works
[28 Jan 2014 22:14] Daniël van Eeden
Trace info (5.6.15 with YaSSL)

T@1    : >new_VioSSLFd
T@1    : | enter: key_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem'  cert_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-cert.pem'  ca_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/CAcert.pem'  ca_path: 'NULL'  cipher: 'NULL' crl_file: 'NULL' crl_path: 'NULL' 
T@1    : | >my_malloc
T@1    : | | my: size: 8  my_flags: 0
T@1    : | | exit: ptr: 0x2d49d50
T@1    : | <my_malloc 66
T@1    : | >vio_set_cert_stuff
T@1    : | | enter: ctx: 0x2d48ba0  cert_file: /home/dveeden/sandboxes/msb_5_6_15/ssl/server-cert.pem  key_file: /home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem
T@1    : | | error: Unable to get private key from file '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem'
T@1    : | <vio_set_cert_stuff 129
T@1    : | error: vio_set_cert_stuff failed
T@1    : | >report_errors
T@1    : | <report_errors 72
T@1    : | >my_free
T@1    : | | my: ptr: 0x2d49d50
T@1    : | <my_free 141
T@1    : <new_VioSSLFd 281
T@1    : info: ssl_acceptor_fd: 0x0
T@1    : >sql_print_warning
T@1    : | >vprint_msg_to_log
T@1    : | | >print_buffer_to_file
T@1    : | | | enter: buffer: Failed to setup SSL
T@1    : | | <print_buffer_to_file 2298
T@1    : | <vprint_msg_to_log 2330
T@1    : <sql_print_warning 2357
T@1    : >sql_print_warning
T@1    : | >vprint_msg_to_log
T@1    : | | >print_buffer_to_file
T@1    : | | | enter: buffer: SSL error: Unable to get private key
T@1    : | | <print_buffer_to_file 2298
T@1    : | <vprint_msg_to_log 2330
T@1    : <sql_print_warning 2357
[29 Jan 2014 9:30] Daniël van Eeden
The 'regular' private key file:
$ openssl asn1parse -in server-key.pem 
    0:d=0  hl=4 l=1188 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 257 prim: INTEGER           :A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE09
  268:d=1  hl=2 l=   3 prim: INTEGER           :010001
  273:d=1  hl=4 l= 256 prim: INTEGER           :09B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF81
  533:d=1  hl=3 l= 129 prim: INTEGER           :D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC85
  665:d=1  hl=3 l= 129 prim: INTEGER           :C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B5
  797:d=1  hl=3 l= 129 prim: INTEGER           :883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C9
  929:d=1  hl=3 l= 128 prim: INTEGER           :6794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E37715
 1060:d=1  hl=3 l= 129 prim: INTEGER           :A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5
[29 Jan 2014 9:30] Daniël van Eeden
The PKCS#8 file:
$ openssl asn1parse -in server-key-pkcs8.pem 
    0:d=0  hl=4 l=1214 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=2 l=  13 cons: SEQUENCE          
    9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   20:d=2  hl=2 l=   0 prim: NULL              
   22:d=1  hl=4 l=1192 prim: OCTET STRING      [HEX DUMP]:308204A40201000282010100A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE0902030100010282010009B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF8102818100D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC8502818100C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B502818100883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C90281806794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E3771502818100A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5

The 'regular' key within the PKCS#8 file:
$ openssl asn1parse -in server-key-pkcs8.pem -strparse 22
    0:d=0  hl=4 l=1188 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 257 prim: INTEGER           :A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE09
  268:d=1  hl=2 l=   3 prim: INTEGER           :010001
  273:d=1  hl=4 l= 256 prim: INTEGER           :09B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF81
  533:d=1  hl=3 l= 129 prim: INTEGER           :D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC85
  665:d=1  hl=3 l= 129 prim: INTEGER           :C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B5
  797:d=1  hl=3 l= 129 prim: INTEGER           :883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C9
  929:d=1  hl=3 l= 128 prim: INTEGER           :6794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E37715
 1060:d=1  hl=3 l= 129 prim: INTEGER           :A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5
[29 Jan 2014 12:05] Sveta Smirnova
I was able to repeat it with Community binaries mysql-5.6.15-linux-glibc2.5-x86_64.tar.gz Set to "Verified".
[2 Feb 2014 14:38] Viktor Štujber
If I'm right, the reason for this is quite silly:

// convert PEM file to DER x509 type
x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info)
{
...
        strncpy(header, "-----BEGIN RSA PRIVATE KEY-----", sizeof(header));
        strncpy(footer, "-----END RSA PRIVATE KEY-----", sizeof(header));
...
}

This will not match DSA nor EC keys. Although all it does is strip the armoring, base64-decode the contents and feed it to x509 code - so there is no specific dependency on RSA here. The code should be made more flexible...
[4 Feb 2014 13:26] Daniël van Eeden
Simple test:
$ cat mysql-test/t/ssl_key_pkcs8.test
$ cat mysql-test/t/ssl_key_pkcs8-master.opt 
--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server-key-pkcs8.pem
$ cat mysql-test/std_data/server-key-pkcs8.pem 
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAzeSHUZ1yEaDR+vOS
ixMc6/fimi9yqNZlSNFprxvATBPlYGBRQemrprwTuwxeMnzZbJ7NBSSEeNuAkS7Y
iCvC7QIDAQABAkEAm7CEVsXc3NGkFsSaeongY9rVQkxAwsUkX7Ti2qP8fElwAhWE
4mEaaa1g3DXKPP9mw+d8kIzPh4U612O8a1+l4QIhAOYUWDZYu9ij7ab3D1XvPhki
SDuLFiQj85tRRy19mQ85AiEA5Raeu+MWsBdsi9hP9hHnT7dkMsRznVfE2AmdapZi
XVUCIQCdM4VaDKK8ULUOAXw+8Ony7lOAK3YDV3UYyB3j3Q75MQIgL9YyXT+FPE4X
33fS8qo4Z//+j09QaRmrxAT19wziC2UCIASI5wWmcuO1aPnuOuG7DbXi5ycHmuSW
RBB74C1wBE2S
-----END PRIVATE KEY-----

The server-key-pkcs8.pem file was generated with:
openssl pkcs8 -topk8 -nocrypt -in server-key.pem -out server-key-pkcs8.pem
[10 Oct 2014 9:40] Dave Kelly
See #59227.  Your info re: PKCS#1 vs. #8 explains the difference between the two formats, but apparently the bug remains.
[2 Jan 2016 12:07] Sascha Curth
This bug still exists in 5.5.46-0ubuntu0.14.04.2-log. Converting to pkcs1 works.

openssl rsa -in privkey.pem -out privkey1-pkcs1.pem
[14 Apr 2016 13:02] Tom Sommer
How is this not fixed for 2+ years?

Come on.
[29 Dec 2017 20:50] Daniël van Eeden
Related:
Bug #88865 	Add in ECC SSL Support