Mariadb – How to debug/set up MariaDB SSL connection

[ I originally posted this on ServerFault but then was pointed at this community ]

Since moving from MySQL to a newer MariaDB installation on Debian 9, I a struggling with SSL connections.

I have created a CA certificate and installed it on both server and client. I then have created server and client keys and certificates that I signed with the CA certificate.

What works:

I can connect from the client to the server with the mysql client without SSL connections.

I can verify the client certificate with openssl:

$ openssl verify MariaDB_client.crt 

MariaDB_client.crt: OK

I understand that MariaDB uses yaSSL, but this still shows that the certificates and CA are correct, I think.

On the server, I have:

MariaDB> show global variables like '%ssl%';
+---------------------+--------------------------------------+
| Variable_name       | Value                                |
+---------------------+--------------------------------------+
| have_openssl        | NO                                   |
| have_ssl            | YES                                  |
| ssl_ca              | /etc/mysql/conf.d/MariaDB_ca.crt     |
| ssl_capath          |                                      |
| ssl_cert            | /etc/mysql/conf.d/MariaDB_server.crt |
| ssl_cipher          |                                      |
| ssl_crl             |                                      |
| ssl_crlpath         |                                      |
| ssl_key             | /etc/mysql/conf.d/MariaDB_server.key |
| version_ssl_library | YaSSL 2.4.4                          |
+---------------------+--------------------------------------+

What does not work:

If I add a .my.cnf file with the following content to the users $HOME directory…

[client]
ssl-ca=/--path--/MariaDB_ca.crt
ssl-cert=/--path--/MariaDB_client.crt
ssl-key=/--path--/MariaDB_client.key

…the connection fails with:

ERROR 2026 (HY000): SSL connection error: unable to verify peer checksum

In the server log, I find (not sure whether this is related):

[Warning] IP address 'ip.of.connecting.client' could not be resolved: Name or service not known

My questions:

• How can I narrow down/debug this connection problem?

• I found conflicting information about whether I should use the same or different CN for the server and client certificates. Currently, I use the same CN.

• Are there particular access rights required for the certificates?