7

I am trying to enable SSL connections for MySQL-- SSL will show as enabled in MySQL, but I can't make any connections due to this error: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

I am running the following:

Ubuntu Version: 14.04.1 LTS (GNU/Linux 3.13.0-34-generic x86_64) MySQL Version: 5.5.38-0ubuntu0.14.04.1 OpenSSL Version: OpenSSL 1.0.1f 6 Jan 2014

I used these commands to generate my certificates (all generated in /etc/mysql):

openssl genrsa -out ca-key.pem 2048 openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=NY/O=MyCompany/CN=ca" openssl req -newkey rsa:2048 -nodes -days 3650 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=NY/O=MyCompany/CN=server" openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -in server-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem openssl req -newkey rsa:2048 -nodes -days 3650 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=NY/O=MyCompany/CN=client" openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -in client-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

I put the following in my.cnf:

[mysqld] ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem

When I attempt to connect specifying the client certificates-- I get the following error:

mysql -uroot -ppassword --ssl-ca=/etc/mysql/ca-cert.pem --ssl-cert=/etc/mysql/client-cert.pem --ssl-key=/etc/mysql/client-key.pem ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

If I connect without SSL, I can see that MySQL has correctly loaded the certificates:

mysql -uroot -ppassword --ssl=false mysql> SHOW VARIABLES LIKE '%ssl%'; +---------------+----------------------------+ | Variable_name | Value | +---------------+----------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /etc/mysql/ca-cert.pem | | ssl_capath | | | ssl_cert | /etc/mysql/server-cert.pem | | ssl_cipher | | | ssl_key | /etc/mysql/server-key.pem | +---------------+----------------------------+ 7 rows in set (0.00 sec)

My generated certificates pass OpenSSL verification and modulus:

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem server-cert.pem: OK client-cert.pem: OK

What am I missing? I used this same process before on a different server and it worked- however the Ubuntu version was 12.04 LTS and the OpenSSL version was older (don't remember specifically). Has something changed with the latest OpenSSL?

Any help would be appreciated!

Improve this question

2 Answers 2

Reset to default
10

I used:

# Generate a CA key and certificate with SHA1 digest openssl genrsa 2048 > ca-key.pem; openssl req -sha1 -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem; # Create server key and certficate with SHA1 digest, sign it and convert # the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem > server-req.pem; openssl x509 -sha1 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem; openssl rsa -in server-key.pem -out server-key.pem; # Create client key and certificate with SHA digest, sign it and convert # the RSA key from PKCS #8 (OpenSSL 1.0 and newer) to the old PKCS #1 format openssl req -sha1 -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem > client-req.pem; openssl x509 -sha1 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem; openssl rsa -in client-key.pem -out client-key.pem;

to set up my ssl (ubuntu 12.04). My mysql config contains:

[client] ssl-cert=/etc/mysql/client-cert.pem ssl-key=/etc/mysql/client-key.pem [mysqld] ssl-ca=/etc/mysql/ca-cert.pem ssl-cert=/etc/mysql/server-cert.pem ssl-key=/etc/mysql/server-key.pem

Have a look at this post for debugging ssl. And this post for the changes in openssl (ubuntu 10.04 -> 14.04).

Improve this answer
3
  • Yep that was it-- I needed to convert to the old PKCS #1 format due to using the newer OpenSSL on 14.04. THANKS! Commented Aug 19, 2014 at 14:48
  • I'm getting SSL connection error: SSL certificate validation failure when I validate server cert: mysql --ssl-verify-server-cert. Any idea what's wrong? Commented Aug 7, 2016 at 18:45
  • Never mind - that only verifies that the common name matches the host name (for me it doesn't). Commented Aug 7, 2016 at 18:56
0

To add to @tersmitten's answer:

Firstly: these days the SHA1 hash algorithm is too weak and connections from the MySQL client will fail with the error TLS/SSL error: ca md too weak. To resolve this, change -sha1 to -sha256 in @tersmitten's answer.

Secondly, if using this setup in an unattended scenario, the interactive prompt can be avoided by adding the Subject line as a parameter to the three openssl req lines, e.g.:

-subj "/C=GB/ST=London/L=London/O=My Organisation/CN=www.example.com"

NB: The server and client certificates cannot have the same common name (CN), otherwise the error certification verification failed will be shown, per this guide

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.