From: Reindl Harald Date: November 25 2012 12:02am Subject: Re: Failed to setup SSL List-Archive: http://lists.mysql.com/mysql/228725 Message-Id: <50B15FFD.1080402@thelounge.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig17C39A64583330972C5CE420" --------------enig17C39A64583330972C5CE420 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 25.11.2012 00:30, schrieb Jackie Zhang: > Hello everyone, >=20 > I want to setup SSL for mysql server. I followed the manual on > http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html >=20 > I first generated the certificates and key files by strictly following = the > following link, > http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html > with everything verified: >=20 > shell> *openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.= pem* > server-cert.pem: OK > client-cert.pem: OK >=20 >=20 > But, when I start my server using > bin/mysqld --ssl-ca=3D./newcerts/ca-cert.pem \ > --ssl-cert=3D./newcerts/server-cert.pem \ > --ssl-key=3D./newcerts/server-key.pem >=20 > The server started with the following error message: > 121124 14:41:27 [Warning] Failed to setup SSL > 121124 14:41:27 [Warning] SSL error: Failed to set ciphers to use >=20 > Did I miss something? I tried to add > --ssl-cipher=3DDHE-RSA-AES256-SHA:AES128-SHA and --ssl, but it didn't h= elp. >=20 > Please give me some clue... i used the script below for generate ca.crt, client.pem, server.pem this setup works since years for replication as also php-scripts [root@buildserver:~]$ cat /buildserver/ssl-cert/mysql/generate.sh #!/bin/bash DIR=3D"/buildserver/ssl-cert/mysql" rm -rf $DIR/cert/ rm -rf $DIR/db/ mkdir $DIR/cert/ mkdir $DIR/db/ touch $DIR/db/index.txt echo "01" > $DIR/db/serial rm -f $DIR/ca.key rm -f $DIR/cert/ca.crt openssl req -new -x509 -days 3650 -keyout $DIR/ca.key -out $DIR/cert/ca.c= rt -config $DIR/openssl.cnf openssl req -new -keyout $DIR/cert/server.key -out $DIR/cert/server.csr -= days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/server.key -out $DIR/cert/server.key openssl ca -policy policy_anything -out $DIR/cert/server.crt -days 3650 -= config $DIR/openssl.cnf -infiles $DIR/cert/server.csr openssl req -new -keyout $DIR/cert/client.key -out $DIR/cert/client.csr -= days 3650 -config $DIR/openssl.cnf openssl rsa -in $DIR/cert/client.key -out $DIR/cert/client.key openssl ca -policy policy_anything -out $DIR/cert/client.crt -days 3650 -= config $DIR/openssl.cnf -infiles $DIR/cert/client.csr rm -f $DIR/cert/server.csr rm -f $DIR/cert/client.csr rm -f $DIR/cert/01.pem rm -f $DIR/cert/02.pem cat $DIR/cert/server.crt $DIR/cert/server.key > $DIR/cert/server.pem rm -f $DIR/cert/server.crt rm -f $DIR/cert/server.key cat $DIR/cert/client.crt $DIR/cert/client.key > $DIR/cert/client.pem rm -f $DIR/cert/client.crt rm -f $DIR/cert/client.key chmod 644 $DIR/cert/* rm -f /etc/mysql-ssl/* cp $DIR/cert/* /etc/mysql-ssl/ chmod 755 /etc/mysql-ssl/ chmod 644 /etc/mysql-ssl/* --------------enig17C39A64583330972C5CE420 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlCxX/0ACgkQhmBjz394AnnOGwCfQ3j1AJ4odBiAhF3BDVphrMAU CxgAoIUlDb1F3xRVznRziYypV0Zbg4t7 =r73H -----END PGP SIGNATURE----- --------------enig17C39A64583330972C5CE420--