2

I'm trying to create some certificate to use with MySQL and everything works fine if I use the sha1 algorithm. If I add the -sha256 switch or -sha384 I can NOT connect to MySQL!. I get this error: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

I found a similar question here, but the accepted solution was to use -sha1. I want to use sha2, since Microsoft, Google & Firefox do not recommend to use sha1 anymore.

This is what I use to create the keys. If I remove the -sha256 switch it works fine using sha1. I have also tried with a 2048 bit key, same issue

openssl genrsa 4096 > ca-key.pem
openssl req -sha256 -new -x509 -nodes -days 10000 -key ca-key.pem -out ca-cert.pem

openssl req -sha256 -newkey rsa:4096 -days 10000 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -sha256 -in server-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

openssl req -sha256 -newkey rsa:4096 -days 10000 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -sha256 -in client-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

The certificate verify without issues

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

Result:

server-cert.pem: OK
client-cert.pem: OK

my.cnf

[mysqld]
ssl                       = On
ssl-cipher                = DHE-RSA-AES256-SHA
ssl-ca                    = /etc/mysql/ssl/ca-cert.pem
ssl-cert                  = /etc/mysql/ssl/server-cert.pem
ssl-key                   = /etc/mysql/ssl/server-key.pem

Using MySQL 5.5.40

mysql>SELECT version()

5.5.40-0+wheezy1

SSL variables looks okay

mysql> show variables like '%ssl%';
Variable_name            Value
ssl_key                  /etc/mysql/ssl/server-key.pem
ssl_cipher               DHE-RSA-AES256-SHA
ssl_cert                 /etc/mysql/ssl/server-cert.pem
ssl_capath 
ssl_ca                   /etc/mysql/ssl/ca-cert.pem
have_ssl                 YES
have_openssl             YES

Openssl version

~ $  openssl version
OpenSSL 1.0.1e 11 Feb 2013
Community
  • 1
user2094579
  • 41
  • 5

1 Answers1

2

I have resolved this issue.

I was getting the error: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation when I was connecting with HeidiSQL version 8.3.0.4694. I failed to mention that as I thought it was not relevant.

I tried connecting using the mysqli and ssl_set function in PHP 5.6.2, and that worked.

So the problem was not MySQL. I then installed HeidiSQL 9.0.0.4865 and it connected flawless with a certificate using sha256

user2094579
  • 41
  • 5