Linux – MySQL and SSL with -sha256

hashlinuxMySQLopensslssl-certificate

I'm trying to create some certificate to use with MySQL and everything works fine if I use the sha1 algorithm. If I add the -sha256 switch or -sha384 I can NOT connect to MySQL!. I get this error: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation

I found a similar question here, but the accepted solution was to use -sha1. I want to use sha2, since Microsoft, Google & Firefox do not recommend to use sha1 anymore.

This is what I use to create the keys. If I remove the -sha256 switch it works fine using sha1. I have also tried with a 2048 bit key, same issue

openssl genrsa 4096 > ca-key.pem
openssl req -sha256 -new -x509 -nodes -days 10000 -key ca-key.pem -out ca-cert.pem

openssl req -sha256 -newkey rsa:4096 -days 10000 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -sha256 -in server-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

openssl req -sha256 -newkey rsa:4096 -days 10000 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -sha256 -in client-req.pem -days 10000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

The certificate verify without issues

openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

Result:

server-cert.pem: OK
client-cert.pem: OK

my.cnf

[mysqld]
ssl                       = On
ssl-cipher                = DHE-RSA-AES256-SHA
ssl-ca                    = /etc/mysql/ssl/ca-cert.pem
ssl-cert                  = /etc/mysql/ssl/server-cert.pem
ssl-key                   = /etc/mysql/ssl/server-key.pem

Using MySQL 5.5.40

mysql>SELECT version()

5.5.40-0+wheezy1

SSL variables looks okay

mysql> show variables like '%ssl%';
Variable_name            Value
ssl_key                  /etc/mysql/ssl/server-key.pem
ssl_cipher               DHE-RSA-AES256-SHA
ssl_cert                 /etc/mysql/ssl/server-cert.pem
ssl_capath 
ssl_ca                   /etc/mysql/ssl/ca-cert.pem
have_ssl                 YES
have_openssl             YES

Openssl version

~ $  openssl version
OpenSSL 1.0.1e 11 Feb 2013

Best Answer

I have resolved this issue.

I was getting the error: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation when I was connecting with HeidiSQL version 8.3.0.4694. I failed to mention that as I thought it was not relevant.

I tried connecting using the mysqli and ssl_set function in PHP 5.6.2, and that worked.

So the problem was not MySQL. I then installed HeidiSQL 9.0.0.4865 and it connected flawless with a certificate using sha256

Related Solutions

How to get iPXE to boot from HTTPS server with self signed cert

You need to add your certificate to the CA used by ipxe.

Another solution would be to create a private CA (a root certificate that you will use to sign the host certificates), then configure ipxe to use this CA. See: http://ipxe.org/cfg/crosscert

The best solution is to sign your certificates by a public CA.

Linux – How to create ssl certificate for multiple domains which requires the CA root key in Linux

NameBased SSL VirtualHosts

This problem occurs if you use multiple Name Based Virtual Hosts and SSL on a single IP-address. The Web-server does not know the name of the requested host until the SSL handshake is done, because the HTTP request headers are part of the encrypted content.

In reality, a Web-server like Apache will allow you to configure name-based SSL virtual hosts, but it will always use the configuration from the first-listed virtual host (on the selected IP address and port) to setup the encryption layer. See https://wiki.apache.org/httpd/NameBasedSSLVHosts for more information.

You can use one certificate for multiple virtual hosts if they are on the same domain using a Wildcard certificate like *.example.com, which will work for one.example.com and two.example.com.

NameBased SSL VirtualHosts with SNI

The solution is an extension to the SSL protocol called Server Name Indication (SNI), which allows the client to include the requested hostname in the first message of its SSL handshake. See https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI for more information.

Apache needs to be built with OpenSSL (with the TLS Extensions option enable-tlsext enabled; OpenSSL 0.9.8k and later has this enabled by default)

To check if your Apache installation supports SNI, take the following steps:

Enable NameVirtualHost for SSL in /etc/apache2/ports.conf:

<IfModule mod_ssl.c>
  NameVirtualHost *:443
  Listen 443
</IfModule>

Create two SSL VirtualHosts in /etc/apache2/sites-available/default-ssl

<VirtualHost *:443>
  ServerName www.example1.com
  DocumentRoot /var/www/example1
  SSLEngine on
  SSLCertificateFile    /etc/apache2/example1.com.cert
  SSLCertificateKeyFile /etc/apache2/example1.com.key
</VirtualHost>

<VirtualHost *:443>
  ServerName www.example2.com
  DocumentRoot /var/www/example2
  SSLEngine on
  SSLCertificateFile    /etc/apache2/example2.com.cert
  SSLCertificateKeyFile /etc/apache2/example2.com.key
</VirtualHost>

Enable mod_ssl:

# a2enmod ssl

Enable the SSL site:

# a2ensite default-ssl

Restart Apache:

# /etc/init.d/apache2 restart

Now if you tail the Apache error log and you see the following message, it means SNI is builtin.

[warn] Init: Name-based SSL virtual hosts only work for clients with \
       TLS server name indication support (RFC 4366)

Otherwise you will see an Apache startup a message like You should not use name-based virtual hosts in conjunction with SSL!!

Now if you signed your two certificates example1.com.cert and example2.com.cert with your CA certificate, added it to your Browser's trusted list and your Browser supports SNI, you should be able to access https://www.example1.com and https://www.example2.com without any complaints from your Browser.

NameBased SSL VirtualHosts with GnuTLS

GnuTLS is an LGPL-licensed implementation of Transport Layer Security, the successor to SSL. With GnuTLS you can create a single certificate valid for multiple domains and wildcard domains, like this:

DNS Name: example1.com
DNS Name: *.example1.com
DNS Name: example2.com
DNS Name: *.example2.com
DNS Name: example3.com
DNS Name: *.example3.com

See https://help.ubuntu.com/community/GnuTLS for a detailed guide on using GnuTLS.

Best Answer

Related Solutions

How to get iPXE to boot from HTTPS server with self signed cert

Linux – How to create ssl certificate for multiple domains which requires the CA root key in Linux

Related Topic