Learned a neat trick today for performing diagnostics on failing ssl connections when working with programs making use of the openssl libs that are notorious for providing crappy ssl error information. You can use the openssl executable to setup a simple test client/server communication, and see any errors that occur in the process:
The server:
openssl s_server -cert /path/to/server-cert.crt -key /path/to/server-cert.key -wwwThe client:
openssl s_client -CAfile /path/to/ca-cert.pem -connect 127.0.0.1:4433
These commands print out various information when establishing or attempting to establish a connection, in my case reminding me that my cert had expired (which mysql clearly communicated to me by saying “ASN: bad other sigature confirmation”).