List:General Discussion« Previous MessageNext Message »
From:Jonas Meurer Date:August 31 2008 2:28pm
Subject:SSL Connection and emty SSL_CIPHER
View as plain text  
Hello,

I just started playing around with SSL enabled connections to the MySQL
server, and so far I got everything working except that the SSL_CIPHER
variable always stays empty.

First I created a CA cert+key pair, then both a MySQL Server and Client
cert+key pair, both signed by the CA cert.

I configured ca-cert, ssl-cert and ssl-key for the Server at
/etc/mysql/my.cnf and restarted the server. Now I checked whether SSL
support was enabled:

mysql> SHOW VARIABLES LIKE '%SSL%';
+---------------+------------------------------------+
| Variable_name | Value                              |
+---------------+------------------------------------+
| have_openssl  | YES                                | 
| have_ssl      | YES                                | 
| ssl_ca        | /etc/ssl/certs/ca.crt              | 
| ssl_capath    |                                    | 
| ssl_cert      | /etc/ssl/private/mysql-server.crt  | 
| ssl_cipher    |                                    | 
| ssl_key       | /etc/ssl/private/mysql-server.key  | 
+---------------+------------------------------------+

Now I limited MySQL remote connections for user 'jonas' to SSL:

mysql> GRANT ALL ON *.* TO jonas REQUIRE SUBJECT '...' AND ISSUER '...';

After first getting errors because of slightly wrong subject and issuer
strings, that one worked as well:

$ mysql -u jonas -p --host=<mysql-host> --skip-ssl
Enter password: 
ERROR 1045 (28000): Access denied for user 'jonas'@'<localhost>' (using password:
YES)

$ mysql -u jonas -p --host=<mysql-host> --ssl-ca=ca.crt --ssl-key=mysql-client.key
--ssl-cert=mysql-client.crt 
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 389
Server version: 5.0.51a-12-log (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


So far everything works great.

But for some reason, the SSL connection doesn't have a Cipher set:

mysql> SHOW VARIABLES LIKE '%SSL%';
+---------------+------------------------------------+
| Variable_name | Value                              |
+---------------+------------------------------------+
| have_openssl  | YES                                | 
| have_ssl      | YES                                | 
| ssl_ca        | /etc/ssl/certs/ca.crt              | 
| ssl_capath    |                                    | 
| ssl_cert      | /etc/ssl/private/mysql-server.crt  | 
| ssl_cipher    |                                    | 
| ssl_key       | /etc/ssl/private/mysql-server.key  | 
+---------------+------------------------------------+
7 rows in set (0.01 sec)

Do you have any suggestions why that could be? I also tried setting the
cipher manually with --ssl-cipher=DHE-RSA-AES256-SHA, but that doesn't
help either. To be honest, I've no idea why the cipher is empty.

Thanks in advance for any help :-)

greetings,
 jonas

PS: please Cc me on replies as I'm not subscribed to the list.
Thread
SSL Connection and emty SSL_CIPHERJonas Meurer31 Aug