Cant connect to mysql using self signed SSL certificate

Posted by carpii on Server Fault See other posts from Server Fault or by carpii
Published on 2012-06-17T01:47:08Z Indexed on 2012/06/17 3:19 UTC
Read the original article Hit count: 1560

Filed under:
|
|
|
|

After creating a self-signed SSL certificate, I have configured my remote mysqld to use them (and ssl is enabled)

I ssh into my remote server, and try connecting to its own mysqld using ssl (mysql server is 5.5.25)..

~> mysql -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert
Enter password: 
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Ok, I remember reading theres some problem with connecting to the same server via SSL. So I download the client keys down to my local box, and test from there...

~> mysql -h <server> -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert 
Enter password: 
ERROR 2026 (HY000): SSL connection error

Its unclear what this "SSL connection error" error refers to, but if I omit the -ssl-ca, then I am able to connect using SSL..

~> mysql -h <server> -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key 
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.25 MySQL Community Server (GPL)

However, I believe that this is only encrypting the connection, and not actually verifying the validity of the cert (meaning I would be potentially vulnerable to man-in-middle attack)

The ssl certs are valid (albeit self signed), and do not have a passphrase on them

So my question is, what am I doing wrong? How can I connect via SSL, using a self signed certificate?

MySQL Server version is 5.5.25 and the server and clients are Centos 5 Thanks for any advice

Edit: Note that in all cases, the command is being issued from the same directory where the ssl keys reside (hence no absolute path)

© Server Fault or respective owner

Related posts about mysql

Related posts about ssl