Verify that the modulus of the key is the same as the certificate one.
These two hashes should be the same. In case they are not, then the certificate does not match the key. MySQL server will have
DISABLEDin this case.
$ openssl x509 -noout -modulus -in server.crt | md5sum $ openssl rsa -noout -modulus -in server.key | md5sum
Verify that the CA certificate is correct and that the certificate chain is in proper order.
For example, StartSSL Class 1 certificates should have
sub.class1.server.ca.pemfirst and then the
ca.pemroot CA certificate itself. However, I found out that specifying the Class 1 intermediate certificate is enough. Failure to set the CA certificates right would lead to the following message on the client:
After connection, check that it is actually done over SSL:
REQUIREkeyword to specify the SSL connection checks.
SSLsimply requires that a connection was using SSL.
X509would require the client certificate to be verifiable against server CA certificate. Additionally you can use
CIPHER. However, due to bug in MySQL that requires specific order of RDN and Ubuntu MySQL upstart configuration bug that breaks logging to syslog, that may take a while to figure out, see the bug report for a workaround. The following works with my StartSSL certificate:
GRANT ALL on *.* TO 'user'@'my-host' REQUIRE SUBJECT '/C=UA/CN=my-clienthost.lappyfamily.net/emailAddressemail@example.com' AND ISSUER '/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA';
Configure firewall to limit access to MySQL server to a set of known addresses.
Remember that mysql clients don't verify the server certificate host name. This is also one of the cases when you may want to create your own CA to prevent other clients of the same CA get through the certificate check phase just because they happen to be issued by the same authority in case you are using REQUIRE X509 only.