Use of default SSL cert/key on MySQL 5.7?

mysql

I've a Percona MySQL 5.7 ( 5.7.21-20-log) installed using apt-get, when I connect it using the root account and check the ssl status

# mysql --ssl
mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | YES             |
| have_ssl      | YES             |
| ssl_ca        | ca.pem          |
| ssl_capath    |                 |
| ssl_cert      | server-cert.pem |
| ssl_cipher    |                 |
| ssl_crl       |                 |
| ssl_crlpath   |                 |
| ssl_key       | server-key.pem  |
+---------------+-----------------+

mysql> status
--------------
mysql  Ver 14.14 Distrib 5.7.21-20, for debian-linux-gnu (x86_64) using  6.3

Connection id:      31
Current database:
Current user:       root@localhost
SSL:            Cipher in use is ECDHE-RSA-AES128-GCM-SHA256

So by default, SSL is being used. However, when I use the full command

mysql -h 127.0.0.1 -P 3306 -u root  -p  --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/server-cert.pem --ssl-key=/var/lib/mysql/server-key.pem

It return error

ERROR 2026 (HY000): SSL connection error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Your problem is using server certificate and key on the client side.

--ssl-cert=/var/lib/mysql/server-cert.pem --ssl-key=/var/lib/mysql/server-key.pem

As documented in 6.4.2 Command Options for Encrypted Connections (emphasis is mine):

--ssl-cert=file_name

The path name of the SSL public key certificate file in PEM format. On the client side, this is the client public key certificate. On the server side, this is the server public key certificate. On the server side, this option implies --ssl.

--ssl-key=file_name

The path name of the SSL private key file in PEM format. On the client side, this is the client private key. On the server side, this is the server private key. On the server side, this option implies --ssl.

You can force the TLS connection using --ssl, alone:

mysql -h 127.0.0.1 -P 3306 -u root -p --ssl

Useful here might also be the --ssl-cipher=cipher_list. With it you can verify that the connection doesn't use any cipher you don't want even when allowed on the server configuration. However, when you have power over both, this should be configured primarily on the server side.

Related

OpenVPN HA Setup on AWS
VirtualBox and Windows 10: can't connect to a server hosted on VirtualBox
Kubernetes: relation between Service IP's and pod IP's
2 node cluster (active-passive) with Windows Server 2016
Is dhparam really required if only using ECDHE?
Local intranet zone sites opening in IE instead of Edge
Windows 10 Always On VPN, Split DNS, NRPT, and how to configure which DNS server is used?
python get-pip.py not working behind proxy
bind: loading from master file failed: file not found
Nginx variable in proxy pass does not work
How to implement partial mirroring in nginx?
Increase the ZFS partition to use the entire disk