Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Incomplete
-
5.5.33a
-
None
-
None
-
Linux 3.5.2 and Windows XP
Description
Summery, you can connect to the server from a linux box with the CA public key but not from an XP box using the same Certs.
I generated these certs with TinyCA and exported the client and server certs with both the cert and key in one file. These files end with both.pem. The seperate cert and key files end with cert.pem, and key.pem respectivly.
The Server set up:
mysqld -V
|
mysqld Ver 5.5.33a-MariaDB-1~squeeze-log for debian-linux-gnu on i686 (mariadb.org binary distribution)
|
my.cnf Excerpt:
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
|
#
|
# ssl
|
ssl-ca=/etc/mysql/ssl/CA-cert.pem
|
ssl-cert=/etc/mysql/ssl/mysqld.something.else-both.pem
|
If you verify the keys with openssl they are fine:
openssl verify -CAfile CA-cert.pem client-cert.pem mysqld.something.else-both.pem
|
client-cert.pem: OK
|
mysqld.something.else-both.pem: OK
|
In another bug report you ask for examples of it not working when it passes this test; Here ya go. 
On the linux client machine everything just works:
mysql -V
|
mysql Ver 15.1 Distrib 5.5.33a-MariaDB, for debian-linux-gnu (i686) using readline 5.1
|
|
|
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem
|
|
|
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
|
|
|
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem
|
|
|
mysql -h eugeneweb.com --ssl-cert=client-both.pem
|
|
|
mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem
|
All these connections were tested for SSL like so:
MariaDB [(none)]> show status like 'Ssl_cipher';
|
+---------------+--------------------+
|
| Variable_name | Value |
|
+---------------+--------------------+
|
| Ssl_cipher | DHE-RSA-AES256-SHA |
|
+---------------+--------------------+
|
1 row in set (0.03 sec)
|
Windows XP:
Windows does not work as expected, unless you expect it not to work.
mysql -V
|
MYSQL Ver 15.1 Distrib 5.5.33a-MariaDB, for Win32 (x86)
|
|
|
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-both.pem
|
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
|
|
|
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem
|
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
|
|
|
mysql -h eugeneweb.com --ssl-cert=client-both.pem
|
Works.
mysql -h eugeneweb.com --ssl-cert=client-cert.pem --ssl-key=client-key.pem
|
Works
mysql -h eugeneweb.com --ssl-ca=CA-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem
|
ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
|
Thanks for any light you can shed on this.
Clif