Bug #76919 Let mysql_ssl_rsa_setup generate the server and client config
Submitted: 3 May 2015 11:31 Modified: 17 Jul 2015 13:03
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.7.7-rc OS:Any
Assigned to: CPU Architecture:Any
Tags: usability

[3 May 2015 11:31] Daniël van Eeden
If you use mysql_ssl_rsa_setup to generate ssl and rsa files in a directory different than the datadir (which can be more secure) then some configuration is needed before the client and server will pickup the config.

How to repeat:
Generate ssl and rsa files in an non-default location with mysql_ssl_rsa_setup.

Suggested fix:
This is what https://github.com/dveeden/mysslgen does:

Please add/change these settings in /etc/mysql/my.cnf:
ssl-ca = /tmp/sampledir/CAcert.pem
ssl-cert = /tmp/sampledir/server-cert.pem
ssl-key = /tmp/sampledir/server-key.pem
After setting these you need to restart MySQL to activate these settings

The client setup: (Place in ~/.my.cnf or your global config)
ssl-ca = /tmp/sampledir/CAcert.pem
ssl-cert = /tmp/sampledir/client-cert.pem
ssl-key = /tmp/sampledir/client-key.pem

Don't forget to specify REQUIRE SSL or REQUIRE X509 (if you want to force SSL for a user.
See also: http://dev.mysql.com/doc/refman/5.7/en/grant.html

The '/tmp/sampledir' is the actual directory specified as argument, so the user only needs to copy/paste this information.

Please note that mysslgen doesn't do anything for rsa keys and mysql_ssl_rsa_setup does, so these should also be taken in account.
[17 Jul 2015 13:03] Georgi Kodinov
Thank you for your reasonable feature request !