Or... How to learn (the hard way) that some applications are simply lagging behind in terms of security...
Anyway, I've been back working on my Free Software X.509 Cookbook, and started writing about setting-up an <a href="http://www.ejbca.org/">EJBCA</a> OCSP responder, when I found myself hitting the wall while trying to set-up use of SSL for the purpose of protecting the communications with the MySQL server.
This hasn't been the first time I've had issues like this, though. I've already had a problem when supplying the private key generated by the EJBCA to the MySQL server (it didn't like the format). In the end I was able to solve that issue with a simple:
<code> $ openssl rsa -in ejbca_generated_key -out mysql_usable.key </code>
I'm still not sure what the exact problem was, but it apparently didn't like that format (there is a slight difference between those files, although OpenSSL itself seems to have no problem parsing them at all).
This time around, after much head-banging and touching in the dark, I've performed some basic comparison with the certificates I had previously managed to get working with the other installation of MySQL server. It turned out that the major difference was the signature algorithm used in those certificates. One back-up of the CA later, and some fiddling with profiles, and I've managed to reaffirm my doubts. Indeed, using the same profile in the EJBCA, but this time with SHA1WITHRSA algorithm, and everything worked fine. Back to the SHA256WITHRSA and the issue is back as well.
The most curious thing about this, though, is that the CA used for issuing the certificates is ''still'' using SHA256WITHRSA, and it doesn't cause any issue. The problem only seems to happen in case where the server certificate uses the said algorithm.
That said, keep an eye out for SSL-related bugs in the MySQL, and keep your temper in control if you ever run into them. The ''most'' annoying problem with this entire ordeal was the fact that MySQL client kept producing the same unusable answer:
<code> ERROR 2026 (HY000): SSL connection error </code>
I certainly hope that there will be some changes to the way MySQL handles X.509 certificates and SSL in general, and in the meantime I'm hoping to (finally) give PostgreSQL a try as well.
Comments
Comments are closed.