Bug #96390 MySQL support for ED25519 certificates
Submitted: 1 Aug 2019 0:07 Modified: 13 Sep 2019 6:58
Reporter: Shravan Rajinikanth Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server: Security: Encryption Severity:S3 (Non-critical)
Version:8.0 OS:Debian
Assigned to: Assigned Account CPU Architecture:Any

[1 Aug 2019 0:07] Shravan Rajinikanth 
Description:
I recently tried using ED25519 certs for SSL but repeatedly received an "Unhandled Exception: MySql.Data.MySqlClient.MySqlException: SSL Connection error. ---> System.Exception: The certificate authority (CA) does not match." error.

Does MySQL Server 8.0 support ED25519 certificates for SSL? I was unable to find information about this in the docs. If it does, does Connector/NET too? If not, is such a feature planned?

How to repeat:
1. Create ED25519 CA, server, and client certs using openssl.
2. Configure them on the server and client side connection string.
3. Attempt to connect.
[2 Aug 2019 13:27] MySQL Verification Team 
Hi,

It is not something MySQL handles directly, it's a job for a library handling SSL. MySQL works with openssl and yassl (wolfssl these days) and it's up to them to support or not different cert types. OpenSSL does not support it yet ( there is a feature request for it: https://github.com/openssl/openssl/issues/487 ) and yassl/wolfssl from what I know do support ED25519 but I personally never tried.

Lemme check if/how it works with yassl.
[4 Aug 2019 4:14] Shravan Rajinikanth 
Hey Bogdan, thanks for the update. I believe OpenSSL supports ED25519 (see comment https://github.com/openssl/openssl/issues/487#issuecomment-356433277 on the link you provided). I'm also able to generate ED25519 certs on OpenSSL just fine. However, I'm not sure of the other libraries. Could you tell me which libraries are used on which platforms?
[4 Aug 2019 10:52] Shravan Rajinikanth 
I tried replacing the RSA certificates in my working SSL configuration with ED25519 ones. The error returned by the client is ERROR 2026 (HY000): SSL connection error: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure. Since OpenSSL supports ED25519 (from my previous message), shouldn't it work on MySQL too?
[13 Aug 2019 6:58] MySQL Verification Team 
Hi,

The general linux binary 8.0.15 is build with openssl, and from what I see a version that does not support ED25519. 

 bin]$ nm mysqld | grep -i openssl
                 U OPENSSL_add_all_algorithms_noconf
00000000022c9090 t _ZL12openssl_lockiP20CRYPTO_dynlock_valuePKci
0000000000c31a40 t _ZL15my_openssl_freePv
00000000033cd5c0 d _ZL15openssl_rwlocks
0000000003697f20 b _ZL16openssl_stdlocks
00000000035a3ba0 b _ZL16Sys_have_openssl
0000000000c303d0 t _ZL17my_openssl_mallocm
0000000003585078 b _ZL18key_memory_openssl
0000000003697f28 b _ZL18key_rwlock_openssl
0000000000c30490 t _ZL18my_openssl_reallocPvm
00000000022c9030 t _ZL19openssl_id_functionv
00000000022c9230 t _ZL21openssl_lock_functioniiPKci
00000000022c9040 t _ZL22openssl_dynlock_createPKci
00000000022c92b0 t _ZL23openssl_dynlock_destroyP20CRYPTO_dynlock_valuePKci
0000000003354c40 d _ZZL8init_sslvE18all_openssl_memory
 bin]$ nm mysqld | grep -i wolf
 bin]$ nm mysqld | grep -i 25519
 bin]$ nm mysqld | grep -i yassl
 bin]$

you can build your own binary with newer openssl or yassl 
https://dev.mysql.com/doc/refman/8.0/en/source-ssl-library-configuration.html

Now with regards to your original question, I checked and mysqld itself is only handling RSA and ED25519 will not work out of the box. 

all best
bogdan
[14 Sep 2019 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".