Bug #84500 Ssl_server_not_after quirk in 5.6 not documented
Submitted: 13 Jan 2017 8:06 Modified: 14 Feb 2017 14:35
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:5.6 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, tls

[13 Jan 2017 8:06] Daniël van Eeden 
Description:
Page: https://dev.mysql.com/doc/refman/5.6/en/server-status-variables.html#statvar_Ssl_server_no...

Between 5.6.3-m5 and 5.7.8-rc this variable is only shown if connected via SSL.
Monitoring might connect over a UNIX socket and not use SSL, so it is important information.

Related commits:

commit 18ce7f96b21c2be1beb38e6835567e1780f2a6f5
Author: Georgi Kodinov <Georgi.Kodinov@Oracle.com>
Date:   Tue Mar 29 11:01:07 2011 +0300

    Bug #11764778: server feature request - expose ssl certificate details
      in show global st
    
    There was no easy way to get the expiration dates of the server's
    certificate.
    
    Implemented two session status variables (Ssl_server_not_before and
    Ssl_server_not_after) with the same scope as e.g. Ssl_verify_depth to
    return the two dates in a format similar to OpenSSL's ASN1_TIME_print.
    
    Since yaSSL doesn't preserve the parsed server certificate beyond
    reading it, the diff extends yaSSL to preserve it and return it
    through SSL_get_certificate().  Also fixed the storage of the
    certificate expiration dates to have the ASN1_TIME subtype.
    
    Implemented an yaSSL specific extension function
    yaSSL_ASN1_TIME_to_string() to return the string representation of the
    date in an ASN1_TIME  in a format similar to OpenSSL's format.
    
    Created a wrapper in MySQL to call either ASN1_TIME_print() or
    yaSSL_ASN1_TIME_to_string() depending on the library type.
    
    Did some type cleanups of some of the internal yaSSL functions.
    
    Test case added.

commit 1ffd2ad62219dd24a54542f8b98a1cd9be96fbb5
Author: Georgi Kodinov <georgi.kodinov@oracle.com>
Date:   Fri Mar 27 15:08:03 2015 +0200

    Bug #20648276 SSL-RELATED GLOBAL STATUS INFORMATION ONLY AVAILABLE
      WHEN CONNECTED USING --SSL
    
    * Created a read-only SSL context to allow reading of the
      SSL attributes for the server SSL Context
    * Used the new read-only SSL context instead of the connected
      SSL context in Ssl_server_not_before/Ssl_server_not_after.
    * Test case added.
    * Fixed a non-unix line ending in ha_federated.cc

How to repeat:
Check the variables over a non-SSL and over an SSL connection.

Suggested fix:
Add note to the 5.6 documentation
[13 Jan 2017 8:07] Daniël van Eeden 
added tags
[13 Jan 2017 8:22] MySQL Verification Team 
Hello Daniël,

Thank you for the report and feedback!

Thanks,
Umesh
[14 Feb 2017 14:35] Paul DuBois 
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly.