Bug #76778 SSL and RSA key material expiration should be extended
Submitted: 21 Apr 2015 16:28 Modified: 11 May 2015 17:31
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S3 (Non-critical)
Version:5.7.7 OS:Any
Assigned to: CPU Architecture:Any

[21 Apr 2015 16:28] Todd Farmer
Description:
With OpenSSL-linked binaries, mysqld creates missing SSL and RSA key material by default.  Unlike the mysql_ssl_rsa_setup program, though, the expiration date is set to one year in the future, instead of 10 (SSL/TLS material) or never expire (RSA).  This should be modified to produce consistent - and extended - expiration dates.

How to repeat:
Start OpenSSL-linked MySQL 5.7 binary, note expiration date of auto-generated key material.

Suggested fix:
* Create SSL/TLS key material with 10 year expiration
* Create RSA key material without expiration
[11 May 2015 17:31] Paul DuBois
Noted in 5.7.8, 5.8.0 changelogs.

Previously, SSL files created automatically by the server were valid
for one year. The validity period has been extended to ten years (the
same as SSL files created by mysql_ssl_rsa_setup).