All I can tell that as soon as I create certificates by the book: http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html like this: ... 1005 openssl version 1006 mkdir cert 1007 cd cert 1008 openssl genrsa 2048 > ca-key.pem 1009 openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem 1010 openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem 1011 openssl rsa -in server-key.pem -out server-key.pem 1012 openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem 1013 openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem 1014 openssl rsa -in client-key.pem -out client-key.pem 1015 openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem 1016 openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem ... everything works: [openxs@chief msb_5_5_30]$ ./use -uroot test Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 5 Server version: 5.5.30-rel30.2 Percona Server with XtraDB (GPL), Release rel30.2, Revision 500 Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql [localhost] {root} (test) > grant all privileges on test.* to 'user'@'localhost' identified by 'user' require ssl; Query OK, 0 rows affected (0.00 sec) mysql [localhost] {root} (test) > exit Bye [openxs@chief msb_5_5_30]$ ./use -uuser -puser test Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 6 Server version: 5.5.30-rel30.2 Percona Server with XtraDB (GPL), Release rel30.2, Revision 500 Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql [localhost] {user} (test) > select current_user(); +----------------+ | current_user() | +----------------+ | user@localhost | +----------------+ 1 row in set (0.00 sec) mysql [localhost] {user} (test) > show status like 'ssl_cipher'; +---------------+--------------------+ | Variable_name | Value | +---------------+--------------------+ | Ssl_cipher | DHE-RSA-AES256-SHA | +---------------+--------------------+ 1 row in set (0.00 sec) mysql [localhost] {user} (test) > status -------------- /home/openxs/5.5.30/bin/mysql Ver 14.14 Distrib 5.5.30, for Linux (x86_64) using readline 5.1 Connection id: 6 Current database: test Current user: user@localhost SSL: Cipher in use is DHE-RSA-AES256-SHA Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 5.5.30-rel30.2 Percona Server with XtraDB (GPL), Release rel30.2, Revision 500 Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: latin1 Db characterset: latin1 Client characterset: utf8 Conn. characterset: utf8 UNIX socket: /tmp/mysql_sandbox5530.sock Uptime: 4 min 50 sec Threads: 1 Questions: 40 Slow queries: 0 Opens: 33 Flush tables: 1 Open tables: 26 Queries per second avg: 0.137 -------------- mysql [localhost] {user} (test) > exit Bye Details of my environment: [openxs@chief msb_5_5_30]$ cat /etc/issue Fedora release 14 (Laughlin) Kernel \r on an \m (\l) [openxs@chief msb_5_5_30]$ uname -a Linux chief 2.6.35.14-106.fc14.x86_64 #1 SMP Wed Nov 23 13:07:52 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux [openxs@chief msb_5_5_30]$ openssl version OpenSSL 1.0.0e-fips 6 Sep 2011 [openxs@chief msb_5_5_30]$ openssl verify -CAfile /home/openxs/cert/ca-cert.pem /home/openxs/cert/server-cert.pem /home/openxs/cert/client-cert.pem /home/openxs/cert/server-cert.pem: OK /home/openxs/cert/client-cert.pem: OK [openxs@chief msb_5_5_30]$ cat my.sandbox.cnf # The MySQL Sandbox # Copyright (C) 2006-2013 Giuseppe Maxia # Contacts: http://datacharmer.org # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA [mysql] prompt='mysql [\h] {\u} (\d) > ' # [client] user = msandbox password = msandbox port = 5530 socket = /tmp/mysql_sandbox5530.sock ssl-ca=/home/openxs/cert/ca-cert.pem ssl-cert=/home/openxs/cert/client-cert.pem ssl-key=/home/openxs/cert/client-key.pem [mysqld] user = openxs port = 5530 socket = /tmp/mysql_sandbox5530.sock basedir = /home/openxs/5.5.30 datadir = /home/openxs/sandboxes/msb_5_5_30/data tmpdir = /home/openxs/sandboxes/msb_5_5_30/tmp pid-file = /home/openxs/sandboxes/msb_5_5_30/data/mysql_sandbox5530.pid #log-slow-queries = /home/openxs/sandboxes/msb_5_5_30/data/msandbox-slow.log #log = /home/openxs/sandboxes/msb_5_5_30/data/msandbox.log # # additional options passed through 'my_clause' # log-error=msandbox.err ssl-ca=/home/openxs/cert/ca-cert.pem ssl-cert=/home/openxs/cert/server-cert.pem ssl-key=/home/openxs/cert/server-key.pem [openxs@chief msb_5_5_30]$ openssl x509 -text -in /home/openxs/cert/client-cert.pem | grep CN Issuer: C=UA, ST=KIEV, L=KIEV, O=Percona One, OU=support, CN=chief1/emailAddress=vk1@a.com Subject: C=UA, ST=KIEV, L=KIEV, O=Percona Three, OU=support, CN=chief3/emailAddress=vk2@a.com It had been like that all the time for me. So I continue to assume that problem is with certificates that are "not OK" for OpenSSL library used in the system (while they were "OK" for yassl), or with OpenSSL version used itself.