Bug #71271 MySQL fails to load PKCS#8 private key with YaSSL
Submitted: 2 Jan 2014 11:51 Modified: 9 Jul 17:15
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Won't fix Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S3 (Non-critical)
Version:5.5.30, 5.6.15, 5.7.20, 8.0.3 OS:Any
Assigned to: CPU Architecture:Any
Tags: pkcs, private key, SSL, tls
Triage: Needs Triage: D2 (Serious)

[2 Jan 2014 11:51] Daniël van Eeden
Description:
A private key can be in PKCS#1 or PKCS#8 format.

The PKCS#1 format can be recognized as it starts with
-----BEGIN RSA PRIVATE KEY-----

The PKCS#8 format can be recognized as it starts with
-----BEGIN PRIVATE KEY-----

MySQL accepts keys in PKCS#1 format, but fails to load keys in PKCS#8 format.

How to repeat:
Create a PKCS#8 private key and set ssl-ca, ssl-cert and ss-key. Then restart MySQL.

SSL error: Unable to get private key from '/etc/mysql/server-key-pkcs8.pem'
140102 11:57:25 [Warning] Failed to setup SSL
140102 11:57:25 [Warning] SSL error: Unable to get private key

Suggested fix:
Make sure MySQL can load PKCS#8 private keys or generates a clear error.

It should not be too hard as OpenSSL should support PKCS#8 transparently. I'm not sure if YaSSL also does this.

The workaround it to make the key look like a PKCS#1 key:
sed -i 's/PRIVATE KEY/RSA PRIVATE KEY/g' server-key.pem
[2 Jan 2014 17:35] Daniël van Eeden
To convert from PKCS#8 to PKCS#1:
openssl rsa -in server-key-pkcs8.pem -out server-key-pkcs1.pem

To convert from PKCS#1 to PKCS#8:
openssl pkcs8 -topk8 -nocrypt -in server-key-pkcs1.pem -out server-key-pkcs8.pem

And YaSSL claims to support PKCS#8:
-----------------------
4.3.7.2 PKCS #8

PKCS #8 is designed as the Private-Key Information Syntax Standard, which is used to store private key information - including a private key for some public-key algorithm and set of attributes.  

The PKCS #8 standard has two versions which describe the syntax to store both encrypted private keys and non-encrypted keys. CyaSSL supports both non-encrypted and encrypted PKCS #8. Supported formats include PKCS #5 version 1 - version 2, and PKCS#12. Types of encryption available include DES, 3DES, RC4, and AES.

PKCS#8:  http://tools.ietf.org/html/rfc5208
-----------------------
Source: http://www.yassl.com/yaSSL/Docs-cyassl-manual-4-features.html
[27 Jan 2014 20:20] Sveta Smirnova
Thank you for the report.

I can not repeat described behavior with current development versions of both 5.5 and 5.6 branches, so closing as "Can't repeat". Please upgrade.
[28 Jan 2014 20:17] Daniël van Eeden
5.6.14 Enterprise: Works
5.6.15 Community: Does not work.

dveeden@daniel-thinkpad:~/sandboxes$ egrep '^ssl' {msb_5_6_14-enterprise,msb_5_6_15}/my.sandbox.cnf
msb_5_6_14-enterprise/my.sandbox.cnf:ssl-ca = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/CAcert.pem
msb_5_6_14-enterprise/my.sandbox.cnf:ssl-cert = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-cert.pem
msb_5_6_14-enterprise/my.sandbox.cnf:ssl-key = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem
msb_5_6_15/my.sandbox.cnf:ssl-ca = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/CAcert.pem
msb_5_6_15/my.sandbox.cnf:ssl-cert = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-cert.pem
msb_5_6_15/my.sandbox.cnf:ssl-key = /home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem

dveeden@daniel-thinkpad:~/sandboxes$ grep "BEGIN" {msb_5_6_14-enterprise,msb_5_6_15}/ssl/server-key*.pem
msb_5_6_14-enterprise/ssl/server-key.pem:-----BEGIN RSA PRIVATE KEY-----
msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem:-----BEGIN PRIVATE KEY-----
msb_5_6_15/ssl/server-key.pem:-----BEGIN RSA PRIVATE KEY-----
msb_5_6_15/ssl/server-key-pkcs8.pem:-----BEGIN PRIVATE KEY-----

Messages from 5.6.15:
SSL error: Unable to get private key from '/home/dveeden/sandboxes/msb_5_6_14-enterprise/ssl/server-key-pkcs8.pem'
2014-01-28 20:59:48 14084 [Warning] Failed to setup SSL
2014-01-28 20:59:48 14084 [Warning] SSL error: Unable to get private key
[28 Jan 2014 20:19] Daniël van Eeden
Example SSL certs

Attachment: ssl.tar.bz2 (application/x-bzip, text), 4.20 KiB.

[28 Jan 2014 21:32] Daniël van Eeden
5.6.15 compiled with "-DWITH_SSL=system": Works.

So:
5.5.30 C YaSSL: Doesn't work
5.6.14 E OpenSSL 1.0.1d (static): works
5.6.15 C YaSSL: Doesn't work
5.6.15 C OpenSSL 1.0.1c (dynamic): works
[28 Jan 2014 22:14] Daniël van Eeden
Trace info (5.6.15 with YaSSL)

T@1    : >new_VioSSLFd
T@1    : | enter: key_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem'  cert_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-cert.pem'  ca_file: '/home/dveeden/sandboxes/msb_5_6_15/ssl/CAcert.pem'  ca_path: 'NULL'  cipher: 'NULL' crl_file: 'NULL' crl_path: 'NULL' 
T@1    : | >my_malloc
T@1    : | | my: size: 8  my_flags: 0
T@1    : | | exit: ptr: 0x2d49d50
T@1    : | <my_malloc 66
T@1    : | >vio_set_cert_stuff
T@1    : | | enter: ctx: 0x2d48ba0  cert_file: /home/dveeden/sandboxes/msb_5_6_15/ssl/server-cert.pem  key_file: /home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem
T@1    : | | error: Unable to get private key from file '/home/dveeden/sandboxes/msb_5_6_15/ssl/server-key-pkcs8.pem'
T@1    : | <vio_set_cert_stuff 129
T@1    : | error: vio_set_cert_stuff failed
T@1    : | >report_errors
T@1    : | <report_errors 72
T@1    : | >my_free
T@1    : | | my: ptr: 0x2d49d50
T@1    : | <my_free 141
T@1    : <new_VioSSLFd 281
T@1    : info: ssl_acceptor_fd: 0x0
T@1    : >sql_print_warning
T@1    : | >vprint_msg_to_log
T@1    : | | >print_buffer_to_file
T@1    : | | | enter: buffer: Failed to setup SSL
T@1    : | | <print_buffer_to_file 2298
T@1    : | <vprint_msg_to_log 2330
T@1    : <sql_print_warning 2357
T@1    : >sql_print_warning
T@1    : | >vprint_msg_to_log
T@1    : | | >print_buffer_to_file
T@1    : | | | enter: buffer: SSL error: Unable to get private key
T@1    : | | <print_buffer_to_file 2298
T@1    : | <vprint_msg_to_log 2330
T@1    : <sql_print_warning 2357
[29 Jan 2014 9:30] Daniël van Eeden
The 'regular' private key file:
$ openssl asn1parse -in server-key.pem 
    0:d=0  hl=4 l=1188 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 257 prim: INTEGER           :A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE09
  268:d=1  hl=2 l=   3 prim: INTEGER           :010001
  273:d=1  hl=4 l= 256 prim: INTEGER           :09B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF81
  533:d=1  hl=3 l= 129 prim: INTEGER           :D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC85
  665:d=1  hl=3 l= 129 prim: INTEGER           :C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B5
  797:d=1  hl=3 l= 129 prim: INTEGER           :883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C9
  929:d=1  hl=3 l= 128 prim: INTEGER           :6794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E37715
 1060:d=1  hl=3 l= 129 prim: INTEGER           :A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5
[29 Jan 2014 9:30] Daniël van Eeden
The PKCS#8 file:
$ openssl asn1parse -in server-key-pkcs8.pem 
    0:d=0  hl=4 l=1214 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=2 l=  13 cons: SEQUENCE          
    9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   20:d=2  hl=2 l=   0 prim: NULL              
   22:d=1  hl=4 l=1192 prim: OCTET STRING      [HEX DUMP]:308204A40201000282010100A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE0902030100010282010009B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF8102818100D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC8502818100C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B502818100883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C90281806794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E3771502818100A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5

The 'regular' key within the PKCS#8 file:
$ openssl asn1parse -in server-key-pkcs8.pem -strparse 22
    0:d=0  hl=4 l=1188 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 257 prim: INTEGER           :A78861F96431684948ABE40B4E4522F5FE75B8DEE400710EC8C4A9D260EF7A0A374997241807E67C16BB7465D38A9A5F84950BE70518087EE6E7BFDE38ECB467A64A6D04925BEB42E65883937B5DE7A2AE007B6BA9AC0F3909133691175108C45379AAEA7A4D64AED91DDE186F767B187AD7D5F7F9EB1792F529CA80225ED75AC57C3D502622ABFB52491C737E9A2CEC1A61FE8AF6209464F598821E21A5817EEE575C3B3F51786E5F1D9F3EDB4DB0A11B18C6E22BF5D444D508498FF3B32CCAB3CFBC798C96F0AA24C1EDBCFD1CDF751687242722CB3AABDFC99C1103A455679928B7BB805A10EB93F1FAC0401CDC36ABF2A9C70D457DC6C9AEE4BBD61DDE09
  268:d=1  hl=2 l=   3 prim: INTEGER           :010001
  273:d=1  hl=4 l= 256 prim: INTEGER           :09B6C6B7872FB634499A6DE699EB3853BB25684AC43DA2509123961534B9AE01D9A2D2B8AD0C083939B834CF92AC7EB6FB210947A3EBF8D222E15D26AD764C1F966CCA55718712E516261BBAF97440721654C0D3454B4CB6A9E80B49EE682C71F5C5203BE84B8482FEE3D474E641A07192EDE0E2380381A26BC4B891256D0A5F88F9719DCF30F37BAB56C512A7A13DDC1AC583B9C57D345B16C1DADC4A9CB713E9A34300D67F7D487CF0348D5D92E673A771F74EB761BB0FF6E9B7F0E4E35BC8FFBDE827C7B07A5743D1A64AA2CEABCE07F342F06B388493B2EA93D4C3E855B7C00003ABC80D1ACC74E5F40C69A7D723C799D4066213CEAC62074A67A4A6AF81
  533:d=1  hl=3 l= 129 prim: INTEGER           :D8B0E6B14E1A8BC605777F42BD1BCB0B1B6AECD1B95D8C8C76E8E7F26CF32E07A19CA59CB637762B9CB4BF9477AF963B1D8AC3E70E0D95C0B87DF57170B4416C8D25F91DEA82B6CEA2D05C3729851848CBF91B9D2B0FE1728366495D6302189C6239224D6A05E64B3486E6368A7FDB09E5B8A7901198C7733D822526A4A9DC85
  665:d=1  hl=3 l= 129 prim: INTEGER           :C5EC941C5D3C393A3ADE85617BB4FC3255A06662EC87154CB2A17B09622B79B06143D51026FDBA951196957459E60D05A919AEDBF238EBF1627D789773146E93CEE36FFA181752AA965CAD4262536CDA1E4628A0BA3A8DC1BFABA05AB800FB93515C3429EDD9183272A874D9A0D8C62F8DCC5BAA7218737BEBDC258402AD64B5
  797:d=1  hl=3 l= 129 prim: INTEGER           :883ADF2E053E67357D665D19A62E7CFE64A45A7297A91A9D8C7C6CA65A9CA009A82F05677A9F6FA987819318520E8FD266864117581C6E5395298B4F605DD2EBDDE94BAEE52A7CA77870AA28FBEF730F013D8180D3FBCDEEE271421A760E714E8FE9FF88CFE919999A525D1559097CB9C234CF13A21C7CF8146967D5DD9BF4C9
  929:d=1  hl=3 l= 128 prim: INTEGER           :6794047AC78C31C2B87625453BD11E3E55334901B2188B5C050B9EF0ED302551D9C4FEE6A2111CA8D07886A44A3BAB4AF010E1C27703B4EE3105CAAB2F6D5CE4FB5B69096FBC1CE5EB247B0387A3730EBED32685DE8FB009D9FDBE405B9520131B7BEE4C970D8AAD33F5D698E1A5302A48C1CEA2E76CC65AEEB6D9E738E37715
 1060:d=1  hl=3 l= 129 prim: INTEGER           :A767D0477775CC97DF8BECF37CC96B6FC9C1572C0EAD103D3C2E5A440BA1EC1F7ADF9E301EE7DC14555FD9009DCBE02906BF6BA03F7FF6E94063A88D0BDEBE54AE6B00CBC6CD608A68E949FEC4DCC32ADFA3299E35DDB32EEC24A828352AF9D6DFADC4BA4049415B2B92F8FED87DE14A8AE47922FB32814293C3186361B7E1C5
[29 Jan 2014 12:05] Sveta Smirnova
I was able to repeat it with Community binaries mysql-5.6.15-linux-glibc2.5-x86_64.tar.gz Set to "Verified".
[2 Feb 2014 14:38] Viktor Štujber
If I'm right, the reason for this is quite silly:

// convert PEM file to DER x509 type
x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info)
{
...
        strncpy(header, "-----BEGIN RSA PRIVATE KEY-----", sizeof(header));
        strncpy(footer, "-----END RSA PRIVATE KEY-----", sizeof(header));
...
}

This will not match DSA nor EC keys. Although all it does is strip the armoring, base64-decode the contents and feed it to x509 code - so there is no specific dependency on RSA here. The code should be made more flexible...
[4 Feb 2014 13:26] Daniël van Eeden
Simple test:
$ cat mysql-test/t/ssl_key_pkcs8.test
$ cat mysql-test/t/ssl_key_pkcs8-master.opt 
--loose-ssl-key=$MYSQL_TEST_DIR/std_data/server-key-pkcs8.pem
$ cat mysql-test/std_data/server-key-pkcs8.pem 
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAzeSHUZ1yEaDR+vOS
ixMc6/fimi9yqNZlSNFprxvATBPlYGBRQemrprwTuwxeMnzZbJ7NBSSEeNuAkS7Y
iCvC7QIDAQABAkEAm7CEVsXc3NGkFsSaeongY9rVQkxAwsUkX7Ti2qP8fElwAhWE
4mEaaa1g3DXKPP9mw+d8kIzPh4U612O8a1+l4QIhAOYUWDZYu9ij7ab3D1XvPhki
SDuLFiQj85tRRy19mQ85AiEA5Raeu+MWsBdsi9hP9hHnT7dkMsRznVfE2AmdapZi
XVUCIQCdM4VaDKK8ULUOAXw+8Ony7lOAK3YDV3UYyB3j3Q75MQIgL9YyXT+FPE4X
33fS8qo4Z//+j09QaRmrxAT19wziC2UCIASI5wWmcuO1aPnuOuG7DbXi5ycHmuSW
RBB74C1wBE2S
-----END PRIVATE KEY-----

The server-key-pkcs8.pem file was generated with:
openssl pkcs8 -topk8 -nocrypt -in server-key.pem -out server-key-pkcs8.pem
[10 Oct 2014 9:40] Dave Kelly
See #59227.  Your info re: PKCS#1 vs. #8 explains the difference between the two formats, but apparently the bug remains.
[2 Jan 2016 12:07] Sascha Curth
This bug still exists in 5.5.46-0ubuntu0.14.04.2-log. Converting to pkcs1 works.

openssl rsa -in privkey.pem -out privkey1-pkcs1.pem
[14 Apr 2016 13:02] Tom Sommer
How is this not fixed for 2+ years?

Come on.
[29 Dec 2017 20:50] Daniël van Eeden
Related:
Bug #88865 	Add in ECC SSL Support
[15 Jan 15:53] Daniël van Eeden
I consider this fixed.

MySQL 5.7 works if linked against OpenSSL (not the default for Community Edition).
MySQL 8.0.4 is linked against OpenSSL by default.
YaSSL has been replaced with WolfSSL in 8.0.
[9 Jul 17:15] Paul Dubois
Posted by developer:
 
This is a yaSSL issue. yaSSL support is removed as of MySQL 5.6.46/5.7.28, so this bug is being closed with no action taken.
[19 Sep 11:37] Umesh Shastry
Bug #96945 marked as duplicate of this one
[20 Sep 2:38] Samson Lin
I am using 5.7.27.  The issue still exists.  I submitted a bug report and found that it is duplicated with this issue.

What is the production version release date on 5.7.28?  The latest version available from Oracle MySQL download site is 5.7.27.
[20 Sep 3:53] Samson Lin
I guess the release date of 5.7.28 should be at the end of Oct. :)  Hope so.