Bug #74864 mysqlbinlog ssl-ca option error
Submitted: 14 Nov 2014 11:28 Modified: 21 Jan 2015 16:44
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.6.20, 5.6.23 OS:Any
Assigned to: CPU Architecture:Any
Tags: mysqlbinlog, SSL, ssl-ca, usability

[14 Nov 2014 11:28] Daniël van Eeden
Description:
mysqlbinlog doesn't handle the ssl-ca option as expected.

If I set this in /etc/my.cnf or ~/.my.cnf 
[client]
ssl-ca=/path/to/sslca.pem

Then mysqlbinlog stops to work:
$ mysqlbinlog --help
mysqlbinlog: unknown variable 'ssl-ca=/path/to/ca-crt.pem'

Workaround (use loose prefix):
[client]
loose-ssl-ca=/path/to/sslca.pem

The SSL options are used for mysql, mysqladmin, mysqldump and many others, adding this for each client program is errorprone.

Related: Bug #70709

How to repeat:
Set ssl-ca in client section of the config and run mysqlbinlog 

Suggested fix:
Make sure common client options work for all clients.
[14 Nov 2014 13:53] Umesh Shastry
Hello Daniël,

Thank you for the report.

Thanks,
Umesh
[14 Nov 2014 13:55] Umesh Shastry
// 5.6.23

// cmd used for starting
/data/ushastry/server/mysql-advanced-5.6.23/scripts/mysql_install_db --basedir=/data/ushastry/server/mysql-advanced-5.6.23 --datadir=/tmp/bug --user=root
/data/ushastry/server/mysql-advanced-5.6.23/bin/mysqld --basedir=/data/ushastry/server/mysql-advanced-5.6.23 --datadir=/tmp/bug --core --socket=/tmp/mysql.sock  --port=3306 --log_bin=master-bin --server_id=1 --log-error=/tmp/bug/log.err --user=root 2>&1 &

[root@cluster-repo mysql-advanced-5.6.23]# bin/mysql -u root -p test
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.6.23-enterprise-commercial-advanced-log MySQL Enterprise Server - Advanced Edition (Commercial)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> flush logs;
Query OK, 0 rows affected (0.01 sec)

mysql> flush logs;
Query OK, 0 rows affected (0.01 sec)

mysql> \q
Bye
[root@cluster-repo mysql-advanced-5.6.23]#
[root@cluster-repo mysql-advanced-5.6.23]# ls -l /tmp/bug/master-bin.[0-9]*
-rw-rw---- 1 root root 168 Nov 16 20:59 /tmp/bug/master-bin.000001
-rw-rw---- 1 root root 168 Nov 16 20:59 /tmp/bug/master-bin.000002
-rw-rw---- 1 root root 120 Nov 16 20:59 /tmp/bug/master-bin.000003
[root@cluster-repo mysql-advanced-5.6.23]#

[root@cluster-repo mysql-advanced-5.6.23]# bin/mysqlbinlog /tmp/bug/master-bin.[0-9]*
bin/mysqlbinlog: unknown variable 'ssl-ca=/tmp/bug/ca.pem'
[root@cluster-repo mysql-advanced-5.6.23]#
[root@cluster-repo mysql-advanced-5.6.23]# bin/mysqlbinlog /tmp/bug/master-bin.[0-9]*
bin/mysqlbinlog: unknown variable 'ssl-ca=/tmp/bug/ca.pem'
[root@cluster-repo mysql-advanced-5.6.23]#
[root@cluster-repo mysql-advanced-5.6.23]# more ~root/.my.cnf
[client]
ssl-ca=/tmp/bug/ca.pem
[root@cluster-repo mysql-advanced-5.6.23]# bin/mysqlbinlog --help
bin/mysqlbinlog: unknown variable 'ssl-ca=/tmp/bug/ca.pem'
[root@cluster-repo mysql-advanced-5.6.23]#
[root@cluster-repo mysql-advanced-5.6.23]# more docs/INFO_SRC
revision-id: michael.izioumtchenko@oracle.com-20141106152508-nntohvuco3v1rjjx
date: 2014-11-06 16:25:08 +0100
build-date: 2014-11-06 18:00:43 +0100
revno: 6243
branch-nick: daily-5.6

MySQL source 5.6.23
[21 Jan 2015 16:44] David Moss
Thanks for your feedback. This was fixed in version 5.7.3, and the following text was added to the 5.7.3 release notes:
Previous versions of mysqlbinlog did not correctly accept the ssl-ca option in an option file. This fix ensures that this option can be correctly used. In earlier versions a work around is to use the loose-ssl-ca option.
[19 Feb 2015 16:08] David Moss
Posted by developer:
 
This was covered in the release notes. Closing.
[27 Feb 2015 9:02] Christoph Mitasch
will this also be fixed for the 5.6.X release?