Bug #77078 --ssl-cipher option causes SSL initialization failure
Submitted: 18 May 2015 21:23 Modified: 23 Jun 2015 16:20
Reporter: Todd Farmer (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Security: Encryption Severity:S3 (Non-critical)
Version:5.7.8 OS:Any
Assigned to: CPU Architecture:Any

[18 May 2015 21:23] Todd Farmer
When starting MySQL Server with the --ssl-cipher option to limit the ciphersuites accepted, the auto-generation of SSL certs is skipped:

2015-05-18T21:15:00.819422Z 0 [Note] Skipping generation of SSL certificates as options related to SSL are specified.

--ssl-cipher should not trigger bypassing the generation process.

More problematic, it seems to also skip loading the pre-existing key material present in the datadir, forcing users to explicitly define --ssl-ca, --ssl-cert and --ssl-key.  This should not happen - no key material location was defined, and the existing default key material should be used.

How to repeat:
1.  Start OpenSSL-linked MySQL Server normally, allowing key material to be auto-generated.
2.  Connect to MySQL Server, issue STATUS and copy the SSL cipher being used.
3.  Shot down MySQL Server.
4.  Start the MySQL Server with --ssl-cipher=[copied cipher from #2].
5.  Observe that MySQL Server cannot support SSL connections.
6.  Shut down MySQL Server.
7.  Remove ca.pem, server-cert.pem and server-key.pem from datadir.
8.  Start MySQL Server with --ssl-cipher=[copied cipher from #2]
9.  Observe that MySQL Server does not auto-generate SSL key material.

Suggested fix:
1.  Do not skip auto-generation of key material when --ssl-cipher is explicitly defined.
2.  Load SSL key material from default locations when --ssl-cipher is explicitly defined, if no alternate paths to SSL key material is provided.
[23 Jun 2015 16:20] Paul Dubois
Noted in 5.7.8, 5.8.0 changelogs.

If the server was started with the --ssl-cipher option,
autogeneration and autodetection of SSL certificates did not work.