Client cannot connect to remote mysql-server when the latter is configured with ssl parameters using a public CA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mysql-8.0 (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Ubuntu focal
mysql-server-8.0: 8.0.21-
in /etc/mysql/
ssl-ca=
ssl-cert=
ssl-key=
Those settings are read by the server:
# mysqld --verbose --help|grep ^ssl
ssl TRUE
ssl-ca /etc/ssl/
ssl-capath (No default value)
ssl-cert /etc/ssl/
ssl-key /etc/ssl/
Yet, they seems to have no effect:
# echo 'q' | sudo systemctl --no-pager --full status mysql
● mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/
Active: active (running) since Thu 2020-08-06 15:56:12 CEST; 6min ago
Process: 93478 ExecStartPre=
Main PID: 93503 (mysqld)
Status: "Server is operational"
Tasks: 41 (limit: 9280)
Memory: 353.3M
CGroup: /system.
...
Aug 06 15:56:12 xxxxxxxxxxx mysqld[93503]: 2020-08-
I am aware that some default certificates/keys are always created at each server start:
# find /var/lib/mysql/ -name "*.pem"
/media/
/media/
/media/
/media/
/media/
/media/
/media/
/media/
However, warning that "ca.pem is self signed" when another CA is configured seems to indicate that the latter is not used.
Also, testing the TLS connection with the mysql server across a network leads to an error (no such issue with other services running on the same host and using the same CA/wildcard certificate):
#openssl s_client -connect mysql.domain:3306 -msg -name $(hostname)
CONNECTED(00000003)
SSL_connect:before SSL initialization
>>> ??? [length 0005]
16 03 01 01 39
>>> TLS 1.3, Handshake [length 0139], ClientHello
01 00 01 35 03 03 19 56 93 29 3b c6 43 6d d9 15
79 99 9a aa 32 80 cc 6a df d8 03 23 ff 3d 8d 79
08 9a 15 e4 f8 f2 20 74 54 f0 92 51 0f 27 d2 9d
3d df fc bc 95 90 f1 0f 56 6b db 96 b2 4b 3b b4
1b df be a3 cc 23 5a 00 3e 13 02 13 03 13 01 c0
2c c0 30 00 9f cc a9 cc a8 cc aa c0 2b c0 2f 00
9e c0 24 c0 28 00 6b c0 23 c0 27 00 67 c0 0a c0
14 00 39 c0 09 c0 13 00 33 00 9d 00 9c 00 3d 00
3c 00 35 00 2f 00 ff 01 00 00 ae 00 00 00 16 00
14 00 00 11 6d 79 73 71 6c 2e 73 64 78 6c 69 76
65 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00
0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00
00 00 05 00 05 01 00 00 00 00 00 16 00 00 00 17
00 00 00 0d 00 2a 00 28 04 03 05 03 06 03 08 07
08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01
05 01 06 01 03 03 03 01 03 02 04 02 05 02 06 02
00 2b 00 05 04 03 04 03 03 00 2d 00 02 01 01 00
33 00 26 00 24 00 1d 00 20 a4 a0 76 bb a9 bc b3
cc 33 82 8e 5a b8 45 ad 95 72 42 27 f9 c6 81 32
33 3b 35 25 ec 75 9a 1f 6a
SSL_connect:
<<< ??? [length 0005]
5b 00 00 00 0a
SSL_connect:error in error
139858538362176
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 318 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
information type: | Private Security → Public Security |
Changed in mysql-8.0 (Ubuntu): | |
status: | Fix Released → New |
Hello Jean,
Thank you for taking the time to file a bug report.
So, in a clean Focal installation, if I do:
""" mysql.conf. d/
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/
[mysql] /etc/mysql/ ssl/ca. pem /etc/mysql/ ssl/client- cert.pem /etc/mysql/ ssl/client- key.pem /etc/mysql/ ssl/
ssl-ca=
ssl-cert=
ssl-key=
ssl-capath=
[mysqld] /etc/mysql/ ssl/ca. pem /etc/mysql/ ssl/server- cert.pem /etc/mysql/ ssl/server- key.pem /etc/mysql/ ssl/
ssl-ca=
ssl-cert=
ssl-key=
ssl-capath=
"""
in my.cnf... I get:
2020-08- 14T18:16: 44.983214Z 0 [Warning] [MY-013414] [Server] Server SSL certificate doesn't verify: self signed certificate 14T18:16: 44.983499Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ ssl/ca. pem is self signed. 14T18:16: 44.983822Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ ssl//ca. pem is self signed. 14T18:16: 44.984106Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ ssl//server- cert.pem is self signed. 14T18:16: 44.984412Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ ssl//client- cert.pem is self signed. 14T18:16: 44.984777Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2020-08-
2020-08-
2020-08-
2020-08-
2020-08-
in /var/log/ mysql/error. log.
Meaning that my certificate is being used. When testing:
mysql> status 0ubuntu0. 20.04.4 for Linux on x86_64 ((Ubuntu))
--------------
mysql Ver 8.0.21-
Connection id: 19 256_GCM_ SHA384 0ubuntu0. 20.04.4 (Ubuntu) mysqld/ mysqld. sock
Current database:
Current user: root@localhost
SSL: Cipher in use is TLS_AES_
Current pager: less -R --chop-long-lines
Using outfile: ''
Using delimiter: ;
Server version: 8.0.21-
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8mb4
Conn. characterset: utf8mb4
UNIX socket: /var/run/
Binary data as: Hexadecimal
Uptime: 7 min 57 sec
and all certificates were created using Example 1 of https:/ /dev.mysql. com/doc/ refman/ 5.7/en/ creating- ssl-files- using-openssl. html.
Permissions are:
$ ls -lahR ssl
ssl:
total 40K
drwxr-x--- 2 mysql root 4.0K Aug 14 18:31 .
drwxr-xr-x 5 root root 4.0K Aug 14 17:40 ..
-rw------- 1 mysql root 1.7K Aug 14 18:29 ca-key.pem
-rw-r--r-- 1 mysql root 1.4K Aug 14 18:29 ca.pem
-rw-r--r-- 1 mysql root 1.2K Aug 14 18:29 client-cert.pem
-rw-r--r-- 1 mysql root 1.7K Aug 14 18:29 client-key.pem
-rw------- 1 mysql root 1001 Aug 14 18:29 client-req.pem
-rw------- 1 mysql root 1.2K Aug 14 18:29 server-cert.pem
-rw------- 1 mysql root 1.7K Aug 14 18:29 server-key.pem
-rw------- 1 mysql root 1001 Aug 14 18:29 server-req.pem
Note that some files are +r just so my user can read them when executing mysql client.
With all that said, could you point out where you think the bug is and/or a way to reproduce what you are facing ?
Note: your openssl s_client command should change CA and verification paths to the place where you're placing the SSL certificates for mysql server. Nevertheless, its much easier to simply test it using the mysql client using the same configuration changes as [mysqld] in my.cnf.
Since it seems likely to me that t...