CODEWITHSUNDEEP
sslssl-certificatemariadbraspbian
Markus
Markus

Reputation: 11

have_ssl on MariaDB stays DISABLED, can't enable SSL on Debian and YaSSL

I am trying to set up MariaDB with TLS on a Raspberry 3, running dietpi with LAMP installed. Maria DB 10.1.23

I followed the official docu on mariadb.com and also tried the linked guideline.

However, when I look at my variables, have_ssl stays DISABLED.

    MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------------+--------------------------------+
| Variable_name       | Value                          |
+---------------------+--------------------------------+
| have_openssl        | NO                             |
| have_ssl            | DISABLED                       |
| ssl_ca              | /etc/mysql/ssl/ca-cert.pem     |
| ssl_capath          |                                |
| ssl_cert            | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher          |                                |
| ssl_crl             |                                |
| ssl_crlpath         |                                |
| ssl_key             | /etc/mysql/ssl/server-key.pem  |
| version_ssl_library | YaSSL 2.4.2                    |
+---------------------+--------------------------------+
10 rows in set (0.01 sec)

This is my /etc/mysql/mariadb.conf.d/50-server.cnf

#
 ssl-ca=/etc/mysql/ssl/ca-cert.pem
 ssl-cert=/etc/mysql/ssl/server-cert.pem
 ssl-key=/etc/mysql/ssl/server-key.pem
#
# Accept only connections using the latest and most secure TLS protocol version.
# ..when MariaDB is compiled with OpenSSL:
# ssl-cipher=TLSv1.2
# ..when MariaDB is compiled with YaSSL (default in Debian):
 ssl=on

When trying openssl s_client I get the following result:

openssl s_client -state -nbio -debug -connect 127.0.0.1:3306 | grep "ssl"
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
1995634080:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:

openssl s_client -connect 127.0.0.1:3306
CONNECTED(00000003)
1995855264:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1542233581
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

I also tried to connect from another Raspi with this result:

root@DietPi:/etc/mysql/ssl# openssl s_client -state -nbio -debug -connect 192.168.1.89:3306 | grep "^ssl"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:error in SSLv2/v3 read server hello A
548036626192:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:

My research so far was not very successful. No solutions worked or fit to my environment. I also tried to install analyze-ssl.pl, but the installation of cpan App::cpanminus failed with 

Writing MYMETA.yml and MYMETA.json
  MIYAGAWA/App-cpanminus-1.7044.tar.gz
  /usr/bin/perl Makefile.PL INSTALLDIRS=site -- OK
Running make for M/MI/MIYAGAWA/App-cpanminus-1.7044.tar.gz
  MIYAGAWA/App-cpanminus-1.7044.tar.gz
  make -- NOT OK

I will try to install analyze-ssl.pl tomorrow or open another thread. Just wanted to explain what I tried.

I would be happy if someone could help me solve my riddle.

Thanks! Markus

Upvotes: 1

Views: 6167

Answers (2)

Roberto
Roberto

Reputation: 1097

Had the exact same problem. The solution by @David didn't work for me, but this helped: https://serverfault.com/questions/950451/mariadb-mysql-shows-have-ssl-disabled-when-certs-are-installled

Turns out that the mysql user needs to own the certificate files.

Upvotes: 1

David GAY
David GAY

Reputation: 11

you can try to convert you PKCS#8 key generate by default by openssl to PKCS#1 key for mariadb 

openssl rsa -in pcks#8.key -out pkcs#1.key

after this operation mariadb say

MariaDB [(none)]>  SHOW VARIABLES LIKE '%ssl%';
+---------------------+-----------------------------------------------+
| Variable_name       | Value                                         |
+---------------------+-----------------------------------------------+
| have_openssl        | NO                                            |
| have_ssl            | YES                                           |
| ssl_ca              | /etc/mysql/ssl/mariaDB-CA.pem                 |
| ssl_capath          |                                               |
| ssl_cert            | /etc/mysql/ssl/server.pem                     |
| ssl_cipher          |                                               |
| ssl_crl             |                                               |
| ssl_crlpath         |                                               |
| ssl_key             | /etc/mysql/ssl/server.key                     |
| version_ssl_library | YaSSL 2.4.4                                   |
+---------------------+-----------------------------------------------+

David

Upvotes: 1

Related Questions