[Bug 1076656] Re: mysql --ssl-capath option doesn't work
Thanks Norvald's for the great analysis. We're not going to be able to change the build options for already released versions of MySQL. The docs indicate that using the --ssl-ca is the recommended option for this case. If you want to get the build options changes for the next release 18.04 - I'd suggest confirming it's still an issue on 18.04, trying to get an understanding of why we are building with the bundled version, and then reporting a new bug for 18.04/mysql-5.7. Thanks for reporting the bug and sorry we don't always have time for a prompt response. ** Changed in: mysql-5.1 (Ubuntu) Status: New => Invalid ** Changed in: mysql-5.5 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1076656] Re: mysql --ssl-capath option doesn't work
(Would also be possible to retarget this bug to 5.7) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1076656] Re: mysql --ssl-capath option doesn't work
Despite have_openssl YES, the community edition of MySQL uses yaSSL, not OpenSSL (have_openssl is just an alias for have_ssl). You've probably stumbled upon this difference between OpenSSL and yaSSL (cut and pasted from http://dev.mysql.com/doc/refman/5.5/en/ssl-options.html #option_general_ssl-capath): MySQL distributions built with OpenSSL support the --ssl-capath option. Distributions built with yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file. Then specify the new file as the value of the --ssl-capath option. The reason this changed is probably that the build options used when packaging for Ubuntu changed. Earlier versions of MySQL in Ubuntu may have been linked against OpenSSL since it was built with the WITH_SSL=yes option. This made the build system pick up OpenSSL if it was installed on the system and use the bundled yaSSL library otherwise, so which library the package used depended on whether the system where the package was built happened to have OpenSSL installed or not. This is obviously not good, so in more recent builds this option has been set to WITH_SSL=bundled, wich means that the bundled yaSSL library will always be used. Regards, Norvald H. Ryeng -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1076656] Re: mysql --ssl-capath option doesn't work
** Changed in: mysql-5.1 (Ubuntu) Importance: Undecided = High ** Changed in: mysql-5.5 (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1076656] Re: mysql --ssl-capath option doesn't work
Despite have_openssl YES, the community edition of MySQL uses yaSSL, not OpenSSL (have_openssl is just an alias for have_ssl). You've probably stumbled upon this difference between OpenSSL and yaSSL (cut and pasted from http://dev.mysql.com/doc/refman/5.5/en/ssl-options.html #option_general_ssl-capath): MySQL distributions built with OpenSSL support the --ssl-capath option. Distributions built with yaSSL do not because yaSSL does not look in any directory and does not follow a chained certificate tree. yaSSL requires that all components of the CA certificate tree be contained within a single CA certificate tree and that each certificate in the file has a unique SubjectName value. To work around this yaSSL limitation, concatenate the individual certificate files comprising the certificate tree into a new file. Then specify the new file as the value of the --ssl-capath option. The reason this changed is probably that the build options used when packaging for Ubuntu changed. Earlier versions of MySQL in Ubuntu may have been linked against OpenSSL since it was built with the WITH_SSL=yes option. This made the build system pick up OpenSSL if it was installed on the system and use the bundled yaSSL library otherwise, so which library the package used depended on whether the system where the package was built happened to have OpenSSL installed or not. This is obviously not good, so in more recent builds this option has been set to WITH_SSL=bundled, wich means that the bundled yaSSL library will always be used. Regards, Norvald H. Ryeng -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1076656] Re: mysql --ssl-capath option doesn't work
** Changed in: mysql-5.1 (Ubuntu) Importance: Undecided = High ** Changed in: mysql-5.5 (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1076656] Re: mysql --ssl-capath option doesn't work
This bug is also present in mysql-client-core-5.1 on Ubuntu 10.04. It appears to have been introduced with release 5.1.66-0ubuntu0.10.04.1 in Ubuntu 10.04. ** Also affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to mysql-5.1 in Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1076656] Re: mysql --ssl-capath option doesn't work
This bug is also present in mysql-client-core-5.1 on Ubuntu 10.04. It appears to have been introduced with release 5.1.66-0ubuntu0.10.04.1 in Ubuntu 10.04. ** Also affects: mysql-5.1 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1076656 Title: mysql --ssl-capath option doesn't work To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-5.1/+bug/1076656/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs