Description:
During Release Testing of 5.7.9, while verifying client-compatibility found below observation:
when ssl user trying to connect via socket without having ssl=1 then connection is failing with --ssl-ca=cacert.pem
How to repeat:
start server with tar.gz package after creating database:
starting server:
./mysqld -uroot --datadir=/export/home/tmp/ramana/5.7.9_gpl/mysql/bin/data --basedir=/export/home/tmp/ramana/5.7.9_gpl/mysql/ --port=3306
--loose-sha256_password_private_key_path=/export/home/tmp/ramana/5.7.9_gpl/mysql/bin/rsa_private_key.pem
--loose-sha256_password_public_key_path=/export/home/tmp/ramana/5.7.9_gpl/mysql/bin/rsa_public_key.pem --old_passwords=2
--ssl-ca=/export/home/tmp/ramana/5.7.9_gpl/mysql/bin/cacert.pem --ssl-cert=/export/home/tmp/ramana/5.7.9_gpl/mysql/bin/server-cert.pem
--ssl-key=/export/home/tmp/ramana/5.7.9_gpl/mysql/bin/server-key.pem --gdb &
create ssl user using 5.7.9 client:
create user ramana@localhost identified by 'ramana' require SSL;
grant all on *.* to ramana@localhost;
create user 'sha'@'localhost' IDENTIFIED WITH 'sha256_password';
SET PASSWORD FOR 'sha'@'localhost'=PASSWORD('sha');
export SSL=/export/home/tmp/ramana/5.7.9_gpl/mysql/bin
[lroot@vitro77 clients]# ./mysql-5.7.9-linux-glibc2.5-x86_64 -uramana -pramana --ssl-ca=$SSL/cacert.pem -e "select user(),current_user();"
mysql-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'ramana'@'localhost' (using password: YES)
[lroot@vitro77 clients]# ./mysql-advanced-5.7.9-linux-glibc2.5-x86_64 -uramana -pramana --ssl-ca=$SSL/cacert.pem -e "select user(),current_user();"
mysql-advanced-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'ramana'@'localhost' (using password: YES)
now observe connection success with below options:
[lroot@vitro77 clients]# ./mysql-5.7.9-linux-glibc2.5-x86_64 -uramana -pramana --protocol=TCP --ssl-ca=$SSL/cacert.pem -e "select user(),current_user();"
mysql-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
+------------------+------------------+
| user() | current_user() |
+------------------+------------------+
| ramana@localhost | ramana@localhost |
+------------------+------------------+
[lroot@vitro77 clients]# ./mysql-5.7.9-linux-glibc2.5-x86_64 -uramana -pramana --ssl --ssl-ca=$SSL/cacert.pem -e "select user(),current_user();"
mysql-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
+------------------+------------------+
| user() | current_user() |
+------------------+------------------+
| ramana@localhost | ramana@localhost |
+------------------+------------------+
[lroot@vitro77 clients]# ./mysql-advanced-5.7.9-linux-glibc2.5-x86_64 -uramana -pramana --ssl --ssl-ca=$SSL/cacert.pem -e "select user(),current_user();"
mysql-advanced-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
+------------------+------------------+
| user() | current_user() |
+------------------+------------------+
| ramana@localhost | ramana@localhost |
+------------------+------------------+
[lroot@vitro77 clients]# ./mysql-advanced-5.7.9-linux-glibc2.5-x86_64 -uramana -pramana --protocol=TCP --ssl-ca=$SSL/cacert.pem -e "select user(),current_user();"
mysql-advanced-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
+------------------+------------------+
| user() | current_user() |
+------------------+------------------+
| ramana@localhost | ramana@localhost |
+------------------+------------------+
same problem observed for sha256 password user:
*with commercial server*
./mysql-advanced-5.7.9-linux-glibc2.5-i686 -usha -psha --ssl-ca=/locate/5.7.9_enterprise/mysql/bin/cacert.pem
mysql-advanced-5.7.9-linux-glibc2.5-i686: [Warning] Using a password on the command line interface can be insecure.
user() current_user()
sha@localhost sha@localhost
./mysql-advanced-5.7.9-linux-glibc2.5-x86_64 -usha -psha --ssl-ca=/locate/5.7.9_enterprise/mysql/bin/cacert.pem
mysql-advanced-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
user() current_user()
sha@localhost sha@localhost
*with community server*
./mysql-advanced-5.7.9-linux-glibc2.5-i686 -usha -psha --ssl-ca=/locate/5.7.9_gpl/mysql/bin/cacert.pem
mysql-advanced-5.7.9-linux-glibc2.5-i686: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'sha'@'localhost' (using password: YES)
./mysql-advanced-5.7.9-linux-glibc2.5-x86_64 -usha -psha --ssl-ca=/locate/5.7.9_gpl/mysql/bin/cacert.pem
mysql-advanced-5.7.9-linux-glibc2.5-x86_64: [Warning] Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'sha'@'localhost' (using password: YES)