Search code examples
mysqlmacossslopenssl

Can I use openssl s_client to retrieve the CA certificate for MySQL?

Can I use openssl s_client to retrieve the CA certificate for MySQL?

I have access to the remote database server using the following

mysql -u theuser -h thehost --ssl --ssl-cipher=DHE-RSA-AES256-SHA -p thedatabase

Now I want to connect to it using JDBC.

I realize that I need to insert the public certificate into my Java key store. However, I cannot figure out how to retrieve the public certificate. I realize it sits on the remote server in /etc/mysql/ca.pem or a similar place. But, I don't have permission to read that file or even ssh into the machine.

I've tried

openssl s_client -cipher DHE-RSA-AES256-SHA  -connect thehost:3306

and some variations. I always get errors. For example

CONNECTED(00000003)
30495:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/
Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59/src/ssl/s23_clnt.c:618:
Solution

  • Can I use openssl s_client to retrieve the CA certificate for MySQL?

    You probably can't.

    A well configured server will send the server certificate and all intermediate certificates required to build a path to the root CA. You have to have the root CA certificate already.

    For example:

    $ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
...

    The server sent the server's certificate. Its shown above as 0 s:/OU=Domain Control Validated/OU=COMODO SSL Unified Communications. S means its the Subject, while I means its the issuer.

    The server sent two intermediate certificates at 1 and 2. However, we need to have the Issuer of certificate 2 locally to build the path for validation. The Issuer of certificate 2 goes by the Common Name "AddTrust External CA Root".

    "AddTrust External CA Root" can be downloaded from Comodo's site at [Root] AddTrust External CA Root

    It the server sent the root CA, then a bad guy could tamper with the chain and a client would be no wiser. They could swap-in their own CA and use an evil chain.

    We can clear the verify error:num=20:unable to get local issuer certificate by fetching the root CA, and then using -CAfile:

    $ openssl s_client -connect www.cryptopp.com:443 -tls1 -servername www.cryptopp.com \
  -CAfile addtrustexternalcaroot.pem

    It will result in a Verify Ok (0).