[Bug 1890611] Re: mysql-server does not take into account configured ssl parameters
There is no fundamental difference between a "public" and a "private" CA. The only difference is in what root certificates (if any) are trusted. Since your report is "mysql-server does not take into account configured ssl parameters" I see no reason why a simple reproduction of your case with self-signed certificates should not be possible. I suggest you start by trying to provide full steps to reproduce your problem using self-signed certificates. If you cannot, but the same configuration steps do not work when adjusted to use certificates signed by Let's Encrypt, then that would demonstrate that the problem somehow only exhibits itself when using a "public CA". Either way, please provide such reproduction steps and then we can look again. ** Changed in: mysql-8.0 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: mysql-server does not take into account configured ssl parameters To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: mysql-server does not take into account configured ssl parameters
I meant let's encrypt as a public certificate ... authority. Also, if it is of any help: mysql> status -- mysql Ver 8.0.21-0ubuntu4 for Linux on x86_64 ((Ubuntu)) Connection id: 31 Current database: Current user: root@localhost SSL:Not in use Current pager: stdout Using outfile: '' Using delimiter:; Server version: 8.0.21-0ubuntu4 (Ubuntu) Protocol version: 10 Connection: Localhost via UNIX socket Server characterset:utf8mb4 Db characterset:utf8mb4 Client characterset:utf8mb4 Conn. characterset:utf8mb4 UNIX socket:/var/run/mysqld/mysqld.sock Binary data as: Hexadecimal Uptime: 15 hours 45 min 24 sec -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: mysql-server does not take into account configured ssl parameters To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: mysql-server does not take into account configured ssl parameters
I appreciate the time you took to answer. However, your example is a different use case: you're using a self-signed certificate with a private CA. My use case use a public CA (namely let's encrypt, but it could be anything else). In my setup, client and servers are on totally different machines. They should be able to communicate over TLS like you're using your browser right now to communicate over https with the remote server https://bugs.launchpad.net/ which happens to also use let's encrypt as a public certificate. I am aware that the official mysql doc only displays SSL examples using only a private CA. I suspect this issue to come from an inability to perform correctly with a public CA/certificate. ** Changed in: mysql-8.0 (Ubuntu) Status: Incomplete => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: mysql-server does not take into account configured ssl parameters To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: mysql-server does not take into account configured ssl parameters
Hello Jean, Thank you for taking the time to file a bug report. So, in a clean Focal installation, if I do: """ !includedir /etc/mysql/conf.d/ !includedir /etc/mysql/mysql.conf.d/ [mysql] ssl-ca=/etc/mysql/ssl/ca.pem ssl-cert=/etc/mysql/ssl/client-cert.pem ssl-key=/etc/mysql/ssl/client-key.pem ssl-capath=/etc/mysql/ssl/ [mysqld] ssl-ca=/etc/mysql/ssl/ca.pem ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-key=/etc/mysql/ssl/server-key.pem ssl-capath=/etc/mysql/ssl/ """ in my.cnf... I get: 2020-08-14T18:16:44.983214Z 0 [Warning] [MY-013414] [Server] Server SSL certificate doesn't verify: self signed certificate 2020-08-14T18:16:44.983499Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ssl/ca.pem is self signed. 2020-08-14T18:16:44.983822Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ssl//ca.pem is self signed. 2020-08-14T18:16:44.984106Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ssl//server-cert.pem is self signed. 2020-08-14T18:16:44.984412Z 0 [Warning] [MY-010068] [Server] CA certificate /etc/mysql/ssl//client-cert.pem is self signed. 2020-08-14T18:16:44.984777Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel. in /var/log/mysql/error.log. Meaning that my certificate is being used. When testing: mysql> status -- mysql Ver 8.0.21-0ubuntu0.20.04.4 for Linux on x86_64 ((Ubuntu)) Connection id: 19 Current database: Current user: root@localhost SSL:Cipher in use is TLS_AES_256_GCM_SHA384 Current pager: less -R --chop-long-lines Using outfile: '' Using delimiter:; Server version: 8.0.21-0ubuntu0.20.04.4 (Ubuntu) Protocol version: 10 Connection: Localhost via UNIX socket Server characterset:utf8mb4 Db characterset:utf8mb4 Client characterset:utf8mb4 Conn. characterset:utf8mb4 UNIX socket:/var/run/mysqld/mysqld.sock Binary data as: Hexadecimal Uptime: 7 min 57 sec and all certificates were created using Example 1 of https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using- openssl.html. Permissions are: $ ls -lahR ssl ssl: total 40K drwxr-x--- 2 mysql root 4.0K Aug 14 18:31 . drwxr-xr-x 5 root root 4.0K Aug 14 17:40 .. -rw--- 1 mysql root 1.7K Aug 14 18:29 ca-key.pem -rw-r--r-- 1 mysql root 1.4K Aug 14 18:29 ca.pem -rw-r--r-- 1 mysql root 1.2K Aug 14 18:29 client-cert.pem -rw-r--r-- 1 mysql root 1.7K Aug 14 18:29 client-key.pem -rw--- 1 mysql root 1001 Aug 14 18:29 client-req.pem -rw--- 1 mysql root 1.2K Aug 14 18:29 server-cert.pem -rw--- 1 mysql root 1.7K Aug 14 18:29 server-key.pem -rw--- 1 mysql root 1001 Aug 14 18:29 server-req.pem Note that some files are +r just so my user can read them when executing mysql client. With all that said, could you point out where you think the bug is and/or a way to reproduce what you are facing ? Note: your openssl s_client command should change CA and verification paths to the place where you're placing the SSL certificates for mysql server. Nevertheless, its much easier to simply test it using the mysql client using the same configuration changes as [mysqld] in my.cnf. Since it seems likely to me that this is a local configuration problem, rather than a bug in Ubuntu, I am marking this bug as 'Incomplete'. However, if you believe that this is really a bug in Ubuntu, then we would be grateful if you would provide a more complete description of the problem with steps to reproduce, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Changed in: mysql-8.0 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1890611 Title: mysql-server does not take into account configured ssl parameters To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890611] Re: mysql-server does not take into account configured ssl parameters
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890611 Title: mysql-server does not take into account configured ssl parameters To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1890611/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs