Dear Reindl, Thanks a lot for the reply!
I tried your scripts (the only difference is the openssl.cnf because I don't have it) Unfortunately, I still failed to start the server with the same message: 121124 17:00:06 [Warning] Failed to setup SSL 121124 17:00:06 [Warning] SSL error: Failed to set ciphers to use Do you have any idea from the log message? Best regards, Jackie On Sat, Nov 24, 2012 at 4:02 PM, Reindl Harald <h.rei...@thelounge.net>wrote: > > > Am 25.11.2012 00:30, schrieb Jackie Zhang: > > Hello everyone, > > > > I want to setup SSL for mysql server. I followed the manual on > > http://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html > > > > I first generated the certificates and key files by strictly following > the > > following link, > > http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html > > with everything verified: > > > > shell> *openssl verify -CAfile ca-cert.pem server-cert.pem > client-cert.pem* > > server-cert.pem: OK > > client-cert.pem: OK > > > > > > But, when I start my server using > > bin/mysqld --ssl-ca=./newcerts/ca-cert.pem \ > > --ssl-cert=./newcerts/server-cert.pem \ > > --ssl-key=./newcerts/server-key.pem > > > > The server started with the following error message: > > 121124 14:41:27 [Warning] Failed to setup SSL > > 121124 14:41:27 [Warning] SSL error: Failed to set ciphers to use > > > > Did I miss something? I tried to add > > --ssl-cipher=DHE-RSA-AES256-SHA:AES128-SHA and --ssl, but it didn't help. > > > > Please give me some clue... > > i used the script below for generate ca.crt, client.pem, server.pem > this setup works since years for replication as also php-scripts > > [root@buildserver:~]$ cat /buildserver/ssl-cert/mysql/generate.sh > #!/bin/bash > > DIR="/buildserver/ssl-cert/mysql" > > rm -rf $DIR/cert/ > rm -rf $DIR/db/ > mkdir $DIR/cert/ > mkdir $DIR/db/ > > touch $DIR/db/index.txt > echo "01" > $DIR/db/serial > > rm -f $DIR/ca.key > rm -f $DIR/cert/ca.crt > > openssl req -new -x509 -days 3650 -keyout $DIR/ca.key -out > $DIR/cert/ca.crt -config $DIR/openssl.cnf > > openssl req -new -keyout $DIR/cert/server.key -out $DIR/cert/server.csr > -days 3650 -config $DIR/openssl.cnf > > openssl rsa -in $DIR/cert/server.key -out $DIR/cert/server.key > openssl ca -policy policy_anything -out $DIR/cert/server.crt -days 3650 > -config $DIR/openssl.cnf -infiles > $DIR/cert/server.csr > > openssl req -new -keyout $DIR/cert/client.key -out $DIR/cert/client.csr > -days 3650 -config $DIR/openssl.cnf > openssl rsa -in $DIR/cert/client.key -out $DIR/cert/client.key > openssl ca -policy policy_anything -out $DIR/cert/client.crt -days 3650 > -config $DIR/openssl.cnf -infiles > $DIR/cert/client.csr > > rm -f $DIR/cert/server.csr > rm -f $DIR/cert/client.csr > rm -f $DIR/cert/01.pem > rm -f $DIR/cert/02.pem > > cat $DIR/cert/server.crt $DIR/cert/server.key > $DIR/cert/server.pem > rm -f $DIR/cert/server.crt > rm -f $DIR/cert/server.key > > cat $DIR/cert/client.crt $DIR/cert/client.key > $DIR/cert/client.pem > rm -f $DIR/cert/client.crt > rm -f $DIR/cert/client.key > > chmod 644 $DIR/cert/* > rm -f /etc/mysql-ssl/* > cp $DIR/cert/* /etc/mysql-ssl/ > chmod 755 /etc/mysql-ssl/ > chmod 644 /etc/mysql-ssl/* > > >
