Bug #80335 | "SSL context is not usable without certificate and private key" in 5.7.11 | ||
---|---|---|---|
Submitted: | 11 Feb 2016 7:42 | Modified: | 10 Mar 2016 13:43 |
Reporter: | Roel Van de Paar | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: Connection Handling | Severity: | S1 (Critical) |
Version: | 5.7.10, 5.7.11 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | SSL |
[11 Feb 2016 7:42]
Roel Van de Paar
[12 Feb 2016 0:19]
Roel Van de Paar
Some info here; http://dev.mysql.com/doc/refman/5.7/en/secure-connections.html
[12 Feb 2016 0:21]
Roel Van de Paar
And here: http://dev.mysql.com/doc/refman/5.7/en/mysql-ssl-rsa-setup.html
[18 Feb 2016 13:37]
Georgi Kodinov
Roel, Looks like you've found the RefMan page that answers your questions around self-signing. But the different error you're getting with 5.7.11 is interesting. Can you please provide more detailed steps to reproduce this ?
[18 Feb 2016 13:38]
Georgi Kodinov
And, when this happens, are you still able to open up a SSL connection to that server or not ?
[19 Feb 2016 1:12]
Roel Van de Paar
The credit for finding the warning goes to Vadim Tkachenko. I tested on my end too. The warning is VERY easy to generate. Simply get 5.7.11 from standard Linux generic tarball x64 download and start it up. 1) wget http://dev.mysql.com/get/Downloads/MySQL-5.7/mysql-5.7.11-linux-glibc2.5-x86_64.tar.gz 2) untar 3) Make a startup script. To do so easily, just do; cd ~ git clone https://github.com/Percona-QA/percona-qa.git cd <your_untarred_dir> ~/percona-qa/startup.sh 0 ./start ./cl # check server is up vi log/master.err Observe error: 2016-02-19T00:57:13.985715Z 0 [Warning] Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key
[19 Feb 2016 1:14]
Roel Van de Paar
Did not verify SSL connectivity further.
[19 Feb 2016 1:16]
Roel Van de Paar
[roel@localhost mysql-5.7.11-linux-glibc2.5-x86_64]$ /sda/mysql-5.7.11-linux-glibc2.5-x86_64/bin/mysql -A -uroot --ssl-mode=VERIFY_IDENTITY -S/sda/mysql-5.7.11-linux-glibc2.5-x86_64/socket.sock test ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support it
[1 Mar 2016 6:35]
MySQL Verification Team
Thank you for the details. With above steps: 2016-03-01T06:30:50.822865Z 0 [Warning] Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key -- [umshastr@hod03]/export/umesh/server/binaries/mysql-5.7.11: bin/mysql -uroot -S/tmp/mysql_ushastry.sock --ssl-mode=VERIFY_IDENTITY ERROR 2026 (HY000): SSL connection error: SSL is required but the server doesn't support it
[10 Mar 2016 13:43]
Georgi Kodinov
Posted by developer: IMHO this is not a bug. We typically don't debug 3d party scripts, but I've looked at https://github.com/Percona-QA/percona-qa/blob/master/startup.sh out of curiosity. http://dev.mysql.com/doc/refman/5.7/en/data-directory-initialization.html says: " If you want the server to be able to deploy with automatic support for secure connections, use the mysql_ssl_rsa_setup utility to create default SSL and RSA files: shell> mysql_ssl_rsa_setup For more information, see Section 4.4.5, “mysql_ssl_rsa_setup — Create SSL/RSA Files”. " Only the MySQL enterprise edition server will create the certificates for you at --initialize time.