Bug #94836 Support for sending intermediate certs to clients
Submitted: 29 Mar 2019 12:49 Modified: 2 Apr 2019 14:05
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S4 (Feature request)
Version:8.0.16 OS:Any
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: SSL, tls, X509

[29 Mar 2019 12:49] Daniël van Eeden
Description:
I think the server sends the certificate specified with --ssl-cert to the client when using SSL/TLS.
Then the client uses --ssl-ca and/or --ssl-ca-path to find a CA that *directly* signed the certificate provided by the server.
Let's not take client certs into account for now.

What I would like to have is this:
--ssl-cert=somecert.pem
--ssl-chain=one_or_more_intermediates.pem

Then the client uses the intermediates send by the server to construct a full chain to the cert supplied by the server.

How to repeat:
Have a certificate that is indirectly signed by the CA used by the client.
[1 Apr 2019 6:01] MySQL Verification Team
Hello Daniël,

Thank you for the feature request!

regards,
Umesh
[1 Apr 2019 6:49] Georgi Kodinov
Daniel,
Do you have evidence that, if you put all the intermediaries in --ssl-ca, the chain is not sent ?
[2 Apr 2019 14:05] Daniël van Eeden
After some more testing it looks like MySQL does the right thing by default. It does send the intermediate certificates. This is with OpenSSL.