Bug #84707 MySQL Shell fails to setup SSL connection with classic protocol
Submitted: 29 Jan 2017 11:36 Modified: 30 Jan 2017 8:30
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Document Store: MySQL Shell Severity:S3 (Non-critical)
Version:1.0.5 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, tls

[29 Jan 2017 11:36] Daniël van Eeden 
Description:
mysql is able to setup a connection with the same credentials and ssl settings.
However mysqlsh fails to setup an SSL connection.

mysqlsh is able to use SSL with the X Protocol (mysqlx, 33060), but not with the Classic protocol (mysql, 3306)

How to repeat:
$ mysql -u msandbox -pmsandbox -h 127.0.0.1 -P 5717 --ssl=1 --ssl-ca=data/ca.pem -e "show session status like '%ssl_cipher'";
mysql: [Warning] Using a password on the command line interface can be insecure.
WARNING: --ssl is deprecated and will be removed in a future version. Use --ssl-mode instead.
+-------------------+--------------------+
| Variable_name     | Value              |
+-------------------+--------------------+
| Mysqlx_ssl_cipher |                    |
| Ssl_cipher        | DHE-RSA-AES256-SHA |
+-------------------+--------------------+

$ mysqlsh -u msandbox --password=msandbox -h 127.0.0.1 --ssl=1 --ssl-ca=data/ca.pem --classic --sqlc -P 5717 -e "show session status like '%ssl_cipher'";
mysqlx: [Warning] Using a password on the command line interface can be insecure.
[ERROR] SSL error: Unable to get certificate from ''
MySQL Error (2026): SSL connection error: Unable to get certificate

$ mysqlsh -u msandbox --password=msandbox -h 127.0.0.1 --ssl=1 --classic --sqlc -P 5717 -e "show session status like '%ssl_cipher'";
mysqlx: [Warning] Using a password on the command line interface can be insecure.
+-------------------+-------+
| Variable_name     | Value |
+-------------------+-------+
| Mysqlx_ssl_cipher |       |
| Ssl_cipher        |       |
+-------------------+-------+

$ openssl verify -verbose -CAfile data/ca.pem data/server-cert.pem data/server-cert.pem: OK

$ mysql -u msandbox -pmsandbox -h 127.0.0.1 -P 5717 --ssl-mode=VERIFY_CA --ssl-ca=data/ca.pem -e "show session status like '%ssl_cipher'";
mysql: [Warning] Using a password on the command line interface can be insecure.
+-------------------+--------------------+
| Variable_name     | Value              |
+-------------------+--------------------+
| Mysqlx_ssl_cipher |                    |
| Ssl_cipher        | DHE-RSA-AES256-SHA |
+-------------------+--------------------+
[29 Jan 2017 11:40] Daniël van Eeden 
mysqlsh is able to setup a SSL connection with the Classic protocol if I also specify --ssl-cert and --ssl-key. Those settings should be optional and should only be required if 'REQUIRE X509/SUBJECT/etc' is set for the account.
[30 Jan 2017 8:30] MySQL Verification Team 
Hello Daniël,

Thank you for the report.
Verified as described.

Thanks,
Umesh