dunno why you send that to the *developers* list? "maria-discuss@lists.launchpad.net" is for pure user questions and we both are just users in most cases Am 17.04.2016 um 01:39 schrieb Benny Pedersen:

if openssl works for othres i like to know a working my.cnf to make it work, i have added my ssql same way as used in dovecot / postfix, no ssl error in mysql, but openssl s_client -showcerts -connect 127.0.0.1:3306 says ssl23 fails, at best i see ssl3 tlsv1 fails, output is CONNECTED(00000003)

nonsense - it works likely independent what opeensl says here - why don't you just try first a mysql client and look at the connection vars? [root@buildserver:~]$ autotest.php mysql_ssl /Volumes/dune/buildserver/autotest/parts/mysql_ssl.php OK: mysql-over-ssl - DHE-RSA-AES128-SHA / TLSv1 [root@buildserver:~]$ openssl s_client -showcerts -connect 127.0.0.1:3306 CONNECTED(00000003) 139800112973696:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 201 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1460881738 Timeout : 300 (sec) Verify return code: 0 (ok)

no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 308 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1460845475 Timeout : 300 (sec) Verify return code: 0 (ok) ---

how to debug it more from here ?

there is nothing to debug

Hi, Benny! On Apr 17, Benny Pedersen wrote:

if openssl works for othres i like to know a working my.cnf to make it work, i have added my ssql same way as used in dovecot / postfix, no ssl error in mysql, but openssl s_client -showcerts -connect 127.0.0.1:3306 says ssl23 fails, at best i see ssl3 tlsv1 fails, output is CONNECTED(00000003)

Of course, this cannot possibly work. See the client-server protocol description, for example, here: https://dev.mysql.com/doc/internals/en/connection-phase.html When the client connects, the server sends the initial handshake packet (where the server announces that it supports SSL). The client replies that it also supports SSL. Only then the server and client actually start using SSL. s_client does not know MariaDB/MySQL protocol, it cannot do this initial protocol handshake, so you cannot use it to probe MariaDB or MySQL servers. Regards, Sergei Chief Architect MariaDB and security@mariadb.org