2

I'm trying to setting up ssl for mysql by referring this.
I'm able to complete first 3 steps but having issue with the 4th which is as following:

GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'localhost' IDENTIFIED BY 'ssluser' REQUIRE SSL;

After executing this statement when I try to run mysql -ussluser -pssluser -P3430 --ssl-key=, it shows following error: Can't connect to MySql server on 'localhost' (10061)

I tried to connect to mysql using mysql -ussluser -pssluser, but it shows: Access denied for user 'ssluser'@'localhost' (using password: YES)

How can it say Access Denied when I have already executed GRANT statement.

Note that I executed mysql -ussluser -pssluser before using GRANT atetement and I was able to connect to mysql. I execute mysql> CHANGE MASTER TO MASTER_SSL=1; at this point of time (which should enable SSL???).

Also, If I try SHOW GRANTS FOR 'ssluser'@'localhost';
I get

GRANT ALL PRIVILEGES ON *.* TO \'ssluser\'@\'localhost\' IDENTIFIED BY PASSWORD \'*C56A6573BEE146CB8243543295FD80ADCE588EFF\' REQUIRE SSL WITH GRANT OPTION

I'm trying it from couple of days but have found nothing. Any help appreciated.

Edit1

When I use show global variables like 'have_%ssl'; I get

have_openssl    DISABLED
have_ssl        DISABLED

and when I use this SHOW STATUS LIKE 'Ssl_cipher'; I get

Ssl_cipher  _________

Also, I have created all server and client certificated and placed them in certs directory inside mysql server root directory.

GAMA
  • 5,958
  • 14
  • 79
  • 126
  • Did you do a `FLUSH PRIVILEGES;`? – hjpotter92 Mar 12 '13 at 12:23
  • Re the 10061 message - are you connecting to mySQL on the right port? How are you connecting to mySQL? – Pekka Mar 12 '13 at 12:24
  • How about step 5: updating your config file and restarting the server? MySQL will not know to use ssl connections until then – Mchl Mar 12 '13 at 12:56
  • @Pekka웃 : 3306 is the default port for me. Also I'm able to connect with *root* but without using `REQUIRE SSL` in `GRANT`. – GAMA Mar 12 '13 at 13:02
  • @Mchl : ALready tried : But no help :( – GAMA Mar 12 '13 at 13:15
  • I posted a response that might help you in http://stackoverflow.com/questions/15402828/integrating-ssl-with-mysql-access-denied . Is this a duplicate of that one, or is this slightly different? – Matt Lavin Jan 29 '14 at 16:14

1 Answers1

0

You've not provided any information about the OS for the server or client, nor where you sourced the executables, nor how the DBMS is configured.

mysql -ussluser -pssluser -P3430 --ssl-key=

IIRC, the ssl-key option is used when you've set up the user account to provide a client certificate for authentication (GRANT....REQUIRE X509;). And in this scenario you need to give it a client cert file as an argument.

But you've only said that it should use SSL - i.e. the client is anonymous for SSL purposes. However the client still needs to validate the server - hence mysql should be started with --ssl-ca=ca-cert.pem or --ssl-capath=directory_name.

You also need to ensure that the server is configured for SSL support - the ini file or startup script should contain a reference to the certificate it's going to use and the port on which it handles SSL connections. Also SSL support must be compiled into the binary and any relevant shared object files be available. If config says SSL but the DBMS can't do SSL, then you should get some indication of this from the server logs.

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • when you say `--ssl-ca=ca-cert.pem`, it implies to something like this `mysql -ussluser -pssluser -P3430 --ssl-ca="C:\Program Files\MySQL\MySQL Server 5.5\certs\ca-cert.pem"`, Correct? – GAMA Mar 12 '13 at 13:21
  • It's giving following error: `ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)` – GAMA Mar 12 '13 at 13:22
  • Also, can you please guide me through last para of your answer? – GAMA Mar 12 '13 at 13:23
  • Comment 1: yes. Comment 2: did you check that the ca-cert bundle contains the ca you used for your certificate? Comment 3: only if I can bill you by the hour – symcbean Mar 12 '13 at 14:04
  • I dint get your reply related to comment 2? – GAMA Mar 12 '13 at 14:51
  • My `ca-cert.pem` is placed at above mentioned location only. – GAMA Mar 13 '13 at 13:44