I want my webserver to speak to the MySQL database server over an SSL connection. The Webserver runs CentOS5, the Database Server runs FreeBSD. The certificates are provided by a intermediate CA DigiCert.
MySQL should be using ssl, according to my.cnf
:
# The MySQL server
[mysqld]
port = 3306
socket = /tmp/mysql.sock
ssl
ssl-capath = /opt/mysql/pki/CA
ssl-cert = /opt/mysql/pki/server-cert.pem
ssl-key = /opt/mysql/pki/server-key.pem
When I start MySQL, the daemon starts without errors. This suggests that the certificate files are all readable.
But when I try to connect from the webserver to the database server, I get an error:
[root@webserver ~]# mysql -h mysql.example.org -u user -p
ERROR 2026 (HY000): SSL connection error
And if I try to debug further with openssl:
[root@webserver ~]# openssl s_client -connect mysql.example.org:3306 0>/dev/null
CONNECTED(00000003)
15706:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
Is this a valid way to test the SSL connection to a MySQL database server? The SSL23_GET_SERVER_HELLO:unknown protocol
message is strange since this typically what you would see if you were speaking SSL on a port intended for non-SSL traffic.
This same openssl command seems to work fine with LDAP & HTTP servers:
$ openssl s_client -connect ldap.example.org:636 0>/dev/null
CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
...
$ openssl s_client -connect www.example.org:443 0>/dev/null
CONNECTED(00000003)
depth=0 /DC=org/DC=example/OU=Services/CN=www.example.org
Best Answer
OpenSSL version 1.1.1 (released on 11 Sep 2018) added support for
-starttls mysql
in commit a2d9cfbac5d87b03496d62079aef01c601193b58. Unfortunately I cannot find the reference to this new feature in the OpenSSL changelog.If your distribution does not have this version yet, there is a statically compiled openssl binary at https://testssl.sh/openssl-1.0.2k-dev-chacha.pm.ipv6.Linux+FreeBSD.tar.gz which does support
-starttls mysql
. I found the reference to it in http://www.danneman.org/presentations/Automating_TLS_Configuration_Verification.pdf.For Windows the OpenSSL 1.1.1 binaries can be found at https://wiki.openssl.org/index.php/Binaries
I generated the SSL certificates as described in https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html, tried, and it works:
There is also
-starttls
support for postgres and ldap too in OpenSSL 1.1.1. See https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/apps/s_client.c#L815-L831 for the full list.