Can I use openssl s_client to retrieve the CA certificate for MySQL?
Question
Can I use openssl s_client to retrieve the CA certificate for MySQL?
I have access to the remote database server using the following
mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase
Now I want to do to connect to it using JDBC.
I realize that I need to insert the public certificate into my Java key store . However, I cannot figure out how to retrieve the public certificate. I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place. But, I don't have permission to read that file or even ssh into the machine.
I've tried
openssl s_client -cipher DHE-RSA-AES256-SHA -connect thehost:3306
and some variations. I always get errors. For example
CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
2 answers
solution1
0 ACCPTED 2016-03-05 03:54:25
Can I use openssl s_client to retrieve the CA certificate for MySQL?
You probably can't.
A well configured server will send the server certificate and all intermediate certificates required to build a path to the root CA. You have to have the root CA certificate already.
For example:
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...
The server sent the server's certificate. Its shown above as 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications . S means its the Subject, while I means its the issuer.
The server sent two intermediate certificates at 1 and 2 . However, we need to have the Issuer of certificate 2 locally to build the path for validation. The Issuer of certificate 2 goes by the Common Name "AddTrust External CA Root" .
"AddTrust External CA Root" can be downloaded from Comodo's site at [Root] AddTrust External CA Root
It the server sent the root CA, then a bad guy could tamper with the chain and a client would be no wiser. They could swap-in their own CA and use an evil chain.
We can clear the verify error:num=20:unable to get local issuer certificate by fetching the root CA, and then using -CAfile :
$ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com \
-CAfile addtrustexternalcaroot.pem
It will result in a Verify Ok (0) .
solution2
0 2022-12-13 01:58:09
Yes, OpenSSL version 1.1.1 (released on 11 Sep 2018) now supports fetching the server certificate from a MySQL server.
openssl s_client -starttls mysql -connect thehost:3306
Source: answer by Paul Tobias
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.