I'm trying to create some certificate to use with MySQL and everything works fine if I use the sha1 algorithm. If I add the -sha256 switch or -sha384 I can NOT connect to MySQL!. I get this error: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
I found a similar question here, but the accepted solution was to use -sha1. I want to use sha2, since Microsoft, Google & Firefox do not recommend to use sha1 anymore.
This is what I use to create the keys. If I remove the -sha256 switch it works fine using sha1. I have also tried with a 2048 bit key, same issue
openssl genrsa 4096 > ca-key.pem openssl req -sha256 -new -x509 -nodes -days 10000 -key ca-key.pem -out ca-cert.pem openssl req -sha256 -newkey rsa:4096 -days 10000 -nodes -keyout server-key.pem -out server-req.pem openssl rsa -in server-key.pem -out server-key.pem openssl x509 -req -sha256 -in server-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem openssl req -sha256 -newkey rsa:4096 -days 10000 -nodes -keyout client-key.pem -out client-req.pem openssl rsa -in client-key.pem -out client-key.pem openssl x509 -req -sha256 -in client-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem The certificate verify without issues
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem Result:
server-cert.pem: OK client-cert.pem: OK my.cnf
[mysqld] ssl = On ssl-cipher = DHE-RSA-AES256-SHA ssl-ca = /etc/mysql/ssl/ca-cert.pem ssl-cert = /etc/mysql/ssl/server-cert.pem ssl-key = /etc/mysql/ssl/server-key.pem Using MySQL 5.5.40
mysql>SELECT version() 5.5.40-0+wheezy1 SSL variables looks okay
mysql> show variables like '%ssl%'; Variable_name Value ssl_key /etc/mysql/ssl/server-key.pem ssl_cipher DHE-RSA-AES256-SHA ssl_cert /etc/mysql/ssl/server-cert.pem ssl_capath ssl_ca /etc/mysql/ssl/ca-cert.pem have_ssl YES have_openssl YES Openssl version
~ $ openssl version OpenSSL 1.0.1e 11 Feb 2013 
