7

I am trying to enable SSL connections for MySQL-- SSL will show as enabled in MySQL, but I can't make any connections due to this error: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

I am running the following:

Ubuntu Version: 14.04.1 LTS (GNU/Linux 3.13.0-34-generic x86_64)
MySQL Version: 5.5.38-0ubuntu0.14.04.1
OpenSSL Version: OpenSSL 1.0.1f 6 Jan 2014

I used these commands to generate my certificates (all generated in /etc/mysql):

openssl genrsa -out ca-key.pem 2048
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=NY/O=MyCompany/CN=ca"

openssl req -newkey rsa:2048 -nodes -days 3650 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=NY/O=MyCompany/CN=server"
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

openssl req -newkey rsa:2048 -nodes -days 3650 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=NY/O=MyCompany/CN=client"
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

I put the following in my.cnf:

[mysqld]    
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

When I attempt to connect specifying the client certificates-- I get the following error:

mysql -uroot -ppassword --ssl-ca=/etc/mysql/ca-cert.pem --ssl-cert=/etc/mysql/client-cert.pem --ssl-key=/etc/mysql/client-key.pem

ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

If I connect without SSL, I can see that MySQL has correctly loaded the certificates:

mysql -uroot -ppassword --ssl=false

mysql> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------------------------+
| Variable_name | Value                      |
+---------------+----------------------------+
| have_openssl  | YES                        |
| have_ssl      | YES                        |
| ssl_ca        | /etc/mysql/ca-cert.pem     |
| ssl_capath    |                            |
| ssl_cert      | /etc/mysql/server-cert.pem |
| ssl_cipher    |                            |
| ssl_key       | /etc/mysql/server-key.pem  |
+---------------+----------------------------+
7 rows in set (0.00 sec)

My generated certificates pass OpenSSL verification and modulus:

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK

What am I missing? I used this same process before on a different server and it worked- however the Ubuntu version was 12.04 LTS and the OpenSSL version was older (don't remember specifically). Has something changed with the latest OpenSSL?

Any help would be appreciated!

SJL
  • 183
  • 1
  • 1
  • 3

2 Answers2

10

I used:

# Generate a CA key and certificate with SHA1 digest

openssl genrsa 2048 > ca-key.pem;
openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem;

# Create server key and certficate with SHA1 digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format

openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem;
openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem;
openssl rsa -in server-key.pem -out server-key.pem;

# Create client key and certificate with SHA digest, sign it and convert
# the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format

openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem;
openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem;
openssl rsa -in client-key.pem -out client-key.pem;

to set up my ssl (ubuntu 12.04). My mysql config contains:

[client]
ssl-cert=/etc/mysql/client-cert.pem
ssl-key=/etc/mysql/client-key.pem

[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

Have a look at this post for debugging ssl. And this post for the changes in openssl (ubuntu 10.04 -> 14.04).

Community
  • 1
tersmitten
  • 226
  • 2
  • 5
  • Yep that was it-- I needed to convert to the old PKCS #1 format due to using the newer OpenSSL on 14.04. THANKS! – SJL Aug 19 '14 at 14:48
  • I'm getting `SSL connection error: SSL certificate validation failure` when I validate server cert: `mysql --ssl-verify-server-cert`. Any idea what's wrong? – rustyx Aug 07 '16 at 18:45
  • Never mind - that only verifies that the common name matches the host name (for me it doesn't). – rustyx Aug 07 '16 at 18:56
0

To add to @tersmitten's answer:

Firstly: these days the SHA1 hash algorithm is too weak and connections from the MySQL client will fail with the error TLS/SSL error: ca md too weak. To resolve this, change -sha1 to -sha256 in @tersmitten's answer.

Secondly, if using this setup in an unattended scenario, the interactive prompt can be avoided by adding the Subject line as a parameter to the three openssl req lines, e.g.:

-subj "/C=GB/ST=London/L=London/O=My Organisation/CN=www.example.com"

NB: The server and client certificates cannot have the same common name (CN), otherwise the error certification verification failed will be shown, per this guide

Sam Finnigan
  • 11
  • 3