| List: | Commits | « Previous MessageNext Message » | |
| From: | paul | Date: | December 15 2006 9:20pm |
| Subject: | svn commit - mysqldoc@docsrva: r4281 - in trunk: . refman-4.1 refman-5.0 refman-5.1 | ||
| View as plain text | |||
Author: paul Date: 2006-12-15 21:20:03 +0100 (Fri, 15 Dec 2006) New Revision: 4281 Log: r17296@polar: paul | 2006-12-15 14:19:12 -0600 SSL-related general revisions. Add Domas' simplified procedure for generating cert/key files. Modified: trunk/refman-4.1/database-administration.xml trunk/refman-5.0/database-administration.xml trunk/refman-5.1/database-administration.xml Property changes on: trunk ___________________________________________________________________ Name: svk:merge - 4767c598-dc10-0410-bea0-d01b485662eb:/mysqldoc-local/mysqldoc/trunk:17294 7d8d2c4e-af1d-0410-ab9f-b038ce55645b:/mysqldoc-local/mysqldoc:13690 b5ec3a16-e900-0410-9ad2-d183a3acac99:/mysqldoc-local/mysqldoc/trunk:14218 bf112a9c-6c03-0410-a055-ad865cd57414:/mysqldoc-local/mysqldoc/trunk:13015 + 4767c598-dc10-0410-bea0-d01b485662eb:/mysqldoc-local/mysqldoc/trunk:17296 7d8d2c4e-af1d-0410-ab9f-b038ce55645b:/mysqldoc-local/mysqldoc:13690 b5ec3a16-e900-0410-9ad2-d183a3acac99:/mysqldoc-local/mysqldoc/trunk:14218 bf112a9c-6c03-0410-a055-ad865cd57414:/mysqldoc-local/mysqldoc/trunk:13015 Modified: trunk/refman-4.1/database-administration.xml =================================================================== --- trunk/refman-4.1/database-administration.xml 2006-12-15 18:53:02 UTC (rev 4280) +++ trunk/refman-4.1/database-administration.xml 2006-12-15 20:20:03 UTC (rev 4281) Changed blocks: 7, Lines Added: 70, Lines Deleted: 18; 6218 bytes @@ -4734,11 +4734,10 @@ <xref linkend="too-many-connections"/>, for more information. </para> - + <para> - Increasing this value - increases the number of file descriptors that - <command>mysqld</command> requires. See + Increasing this value increases the number of file + descriptors that <command>mysqld</command> requires. See <xref linkend="table-cache"/>, for comments on file descriptor limits. </para> @@ -17958,9 +17957,10 @@ Beginning with version 4.0.0, MySQL has support for secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. This section - discusses how to use SSL connections. For information on - requiring users to use SSL connections, see - <xref linkend="grant"/>. + discusses how to use SSL connections. For information on how to + require users to use SSL connections, see the discussion of the + <literal>REQUIRE</literal> clause of the + <literal>GRANT</literal> statement in <xref linkend="grant"/>. </para> <para> @@ -18146,6 +18146,11 @@ </orderedlist> <para> + To enable SSL connections, the proper SSL-related command + options must be used (see <xref linkend="ssl-options"/>). + </para> + + <para> To start the MySQL server so that it allows clients to connect via SSL, use the options that identify the key and certificate files the server needs when establishing a secure connection: @@ -18263,14 +18268,15 @@ The following list describes options that are used for specifying the use of SSL, certificate files, and key files. These options are available beginning with MySQL 4.0. They can - be given on the command line or in an option file. + be given on the command line or in an option file. These + options are not available unless MySQL has been built with SSL + support. See <xref linkend="secure-using-ssl"/>. (There are + also <option>--master-ssl*</option> options that can be used + for setting up a secure connection from a slave replication + server to a master server; see + <xref linkend="replication-options"/>.) </para> - <para> - These options are not available unless MySQL has been built - with SSL support. See <xref linkend="secure-using-ssl"/>. - </para> - <itemizedlist> <listitem> @@ -18312,8 +18318,8 @@ to create an account on the server that includes a <literal>REQUIRE SSL</literal> clause in the <literal>GRANT</literal> statement. Then use this account - to connect to the server, with both a server and client - that have SSL support enabled. + to connect to the server, where both the server and the + client have SSL support enabled. </para> </listitem> @@ -18327,7 +18333,8 @@ </para> <para> - The path to a file with a list of trusted SSL CAs. + The path to a file that contains a list of trusted SSL + CAs. </para> </listitem> @@ -18404,12 +18411,57 @@ <title>Setting Up SSL Certificates for MySQL</title> + <remark role="todo"> + Also need a pointer here that says: After you have set up the + SSL files, you can use them as described in ... + </remark> + <para> - Here is an example of setting up SSL certificates for MySQL - using OpenSSL: + This section demonstrates how to set up SSL certificate and + key files for use by MySQL servers and clients. The first + example shows a simplified procedure such as you might use + from the command line. The second shows a script that contains + more detail. Both examples use the <command>openssl</command> + command that is part of OpenSSL. </para> + <para> + The following example shows a set of commands to create MySQL + server and client certificate and key files. You will need to + respond to several prompts by the <command>openssl</command> + commands. For testing, you can press Enter to all prompts. For + production use, you should provide non-empty responses. + </para> + <programlisting> +# Create clean environment +shell> <userinput>rm -rf newcerts</userinput> +shell> <userinput>mkdir newcerts && cd newcerts</userinput> + +# Create CA certificate +shell> <userinput>openssl genrsa 2048 > ca-key.pem</userinput> +shell> <userinput>openssl req -new -x509 -nodes -days 1000 \</userinput> + <userinput>-key ca-key.pem > ca-cert.pem</userinput> + +# Create server certificate +shell> <userinput>openssl req -newkey rsa:2048 -days 1000 \</userinput> + <userinput>-nodes -keyout server-key.pem > server-req.pem</userinput> +shell> <userinput>openssl x509 -req -in server-req.pem -days 1000 \</userinput> + <userinput>-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem</userinput> + +# Create client certificate +shell> <userinput>openssl req -newkey rsa:2048 -days 1000 \</userinput> + <userinput>-nodes -keyout client-key.pem > client-req.pem</userinput> +shell> <userinput>openssl x509 -req -in client-req.pem -days 1000 \</userinput> + <userinput>-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem</userinput> +</programlisting> + + <para> + Here is an example script that shows how to set up SSL + certificates for MySQL: + </para> + +<programlisting> DIR=`pwd`/openssl PRIV=$DIR/private Modified: trunk/refman-5.0/database-administration.xml =================================================================== --- trunk/refman-5.0/database-administration.xml 2006-12-15 18:53:02 UTC (rev 4280) +++ trunk/refman-5.0/database-administration.xml 2006-12-15 20:20:03 UTC (rev 4281) Changed blocks: 10, Lines Added: 82, Lines Deleted: 24; 8296 bytes @@ -944,13 +944,13 @@ </para> <para> - As of MySQL 5.0.25, using <option>--with-debug</option> - to configure MySQL with debugging support enables you to - use the <option>--debug="d,parser_debug"</option> option - when you start the server. This causes the Bison parser - that is used to process SQL statements to dump a parser - trace to the server's standard error output. Typically, - this output is written to the error log. + As of MySQL 5.0.25, using <option>--with-debug</option> to + configure MySQL with debugging support enables you to use + the <option>--debug="d,parser_debug"</option> option when + you start the server. This causes the Bison parser that is + used to process SQL statements to dump a parser trace to + the server's standard error output. Typically, this output + is written to the error log. </para> </listitem> @@ -5172,17 +5172,15 @@ <xref linkend="too-many-connections"/>, for more information. </para> - + <para> - Increasing this value - increases the number of file descriptors that - <command>mysqld</command> requires. See + Increasing this value increases the number of file + descriptors that <command>mysqld</command> requires. See <xref linkend="table-cache"/>, for comments on file descriptor limits. </para> </listitem> - <listitem> <para id="optvar_max_delayed_threads"> <literal>max_delayed_threads</literal> @@ -21475,8 +21473,9 @@ clients and the server using the Secure Sockets Layer (SSL) protocol. This section discusses how to use SSL connections. It also describes a way to set up SSH on Windows. For information - on requiring users to use SSL connections, see - <xref linkend="grant"/>. + on how to require users to use SSL connections, see the + discussion of the <literal>REQUIRE</literal> clause of the + <literal>GRANT</literal> statement in <xref linkend="grant"/>. </para> <para> @@ -21659,7 +21658,7 @@ <para> Note that yaSSL support on Unix platforms requires that either <filename>/dev/urandom</filename> or - <filename>/dev/random</filename> be installed to retrieve + <filename>/dev/random</filename> be available to retrieve true random numbers. For additional information (especially regarding yaSSL on Solaris versions prior to 2.8 and HP-UX), see Bug #13164. @@ -21719,6 +21718,11 @@ </orderedlist> <para> + To enable SSL connections, the proper SSL-related command + options must be used (see <xref linkend="ssl-options"/>). + </para> + + <para> To start the MySQL server so that it allows clients to connect via SSL, use the options that identify the key and certificate files the server needs when establishing a secure connection: @@ -21819,7 +21823,14 @@ program, use the <literal>mysql_ssl_set()</literal> C API function to set the appropriate certificate options before calling <literal>mysql_real_connect()</literal>. See - <xref linkend="mysql-ssl-set"/>. + <xref linkend="mysql-ssl-set"/>. After the connection is + established, you can use + <literal>mysql_get_ssl_cipher()</literal> to determine whether + SSL is in use. A non-<literal>NULL</literal> return value + indicates a secure connection and names the SSL cipher used + for encryption. A <literal>NULL</literal> return value + indicates that SSL is not being used. See + <xref linkend="mysql-get-ssl-cipher"/>. </para> </section> @@ -21836,11 +21847,12 @@ The following list describes options that are used for specifying the use of SSL, certificate files, and key files. They can be given on the command line or in an option file. - </para> - - <para> These options are not available unless MySQL has been built with SSL support. See <xref linkend="secure-using-ssl"/>. + (There are also <option>--master-ssl*</option> options that + can be used for setting up a secure connection from a slave + replication server to a master server; see + <xref linkend="replication-options"/>.) </para> <itemizedlist> @@ -21884,8 +21896,8 @@ to create an account on the server that includes a <literal>REQUIRE SSL</literal> clause in the <literal>GRANT</literal> statement. Then use this account - to connect to the server, with both a server and client - that have SSL support enabled. + to connect to the server, where both the server and the + client have SSL support enabled. </para> </listitem> @@ -21899,7 +21911,8 @@ </para> <para> - The path to a file with a list of trusted SSL CAs. + The path to a file that contains a list of trusted SSL + CAs. </para> </listitem> @@ -21996,12 +22009,57 @@ <title>Setting Up SSL Certificates for MySQL</title> + <remark role="todo"> + Also need a pointer here that says: After you have set up the + SSL files, you can use them as described in ... + </remark> + <para> - Here is an example of setting up SSL certificates for MySQL - using OpenSSL: + This section demonstrates how to set up SSL certificate and + key files for use by MySQL servers and clients. The first + example shows a simplified procedure such as you might use + from the command line. The second shows a script that contains + more detail. Both examples use the <command>openssl</command> + command that is part of OpenSSL. </para> + <para> + The following example shows a set of commands to create MySQL + server and client certificate and key files. You will need to + respond to several prompts by the <command>openssl</command> + commands. For testing, you can press Enter to all prompts. For + production use, you should provide non-empty responses. + </para> + <programlisting> +# Create clean environment +shell> <userinput>rm -rf newcerts</userinput> +shell> <userinput>mkdir newcerts && cd newcerts</userinput> + +# Create CA certificate +shell> <userinput>openssl genrsa 2048 > ca-key.pem</userinput> +shell> <userinput>openssl req -new -x509 -nodes -days 1000 \</userinput> + <userinput>-key ca-key.pem > ca-cert.pem</userinput> + +# Create server certificate +shell> <userinput>openssl req -newkey rsa:2048 -days 1000 \</userinput> + <userinput>-nodes -keyout server-key.pem > server-req.pem</userinput> +shell> <userinput>openssl x509 -req -in server-req.pem -days 1000 \</userinput> + <userinput>-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem</userinput> + +# Create client certificate +shell> <userinput>openssl req -newkey rsa:2048 -days 1000 \</userinput> + <userinput>-nodes -keyout client-key.pem > client-req.pem</userinput> +shell> <userinput>openssl x509 -req -in client-req.pem -days 1000 \</userinput> + <userinput>-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem</userinput> +</programlisting> + + <para> + Here is an example script that shows how to set up SSL + certificates for MySQL: + </para> + +<programlisting> DIR=`pwd`/openssl PRIV=$DIR/private Modified: trunk/refman-5.1/database-administration.xml =================================================================== --- trunk/refman-5.1/database-administration.xml 2006-12-15 18:53:02 UTC (rev 4280) +++ trunk/refman-5.1/database-administration.xml 2006-12-15 20:20:03 UTC (rev 4281) Changed blocks: 9, Lines Added: 74, Lines Deleted: 13; 6938 bytes @@ -21939,8 +21939,9 @@ clients and the server using the Secure Sockets Layer (SSL) protocol. This section discusses how to use SSL connections. It also describes a way to set up SSH on Windows. For information - on requiring users to use SSL connections, see - <xref linkend="grant"/>. + on how to require users to use SSL connections, see the + discussion of the <literal>REQUIRE</literal> clause of the + <literal>GRANT</literal> statement in <xref linkend="grant"/>. </para> <para> @@ -22101,7 +22102,8 @@ </programlisting> <para> - If you want to use OpenSSL instead, specify the + That configures the distribution to use the bundled yaSSL + library. To use OpenSSL instead, specify the <option>--with-ssl</option> option with the path to the directory where the OpenSSL header files and libraries are located: @@ -22135,7 +22137,7 @@ <para> Note that yaSSL support on Unix platforms requires that either <filename>/dev/urandom</filename> or - <filename>/dev/random</filename> be installed to retrieve + <filename>/dev/random</filename> be available to retrieve true random numbers. For additional information (especially regarding yaSSL on Solaris versions prior to 2.8 and HP-UX), see Bug #13164. @@ -22195,6 +22197,11 @@ </orderedlist> <para> + To enable SSL connections, the proper SSL-related command + options must be used (see <xref linkend="ssl-options"/>). + </para> + + <para> To start the MySQL server so that it allows clients to connect via SSL, use the options that identify the key and certificate files the server needs when establishing a secure connection: @@ -22295,7 +22302,14 @@ program, use the <literal>mysql_ssl_set()</literal> C API function to set the appropriate certificate options before calling <literal>mysql_real_connect()</literal>. See - <xref linkend="mysql-ssl-set"/>. + <xref linkend="mysql-ssl-set"/>. After the connection is + established, you can use + <literal>mysql_get_ssl_cipher()</literal> to determine whether + SSL is in use. A non-<literal>NULL</literal> return value + indicates a secure connection and names the SSL cipher used + for encryption. A <literal>NULL</literal> return value + indicates that SSL is not being used. See + <xref linkend="mysql-get-ssl-cipher"/>. </para> </section> @@ -22312,11 +22326,12 @@ The following list describes options that are used for specifying the use of SSL, certificate files, and key files. They can be given on the command line or in an option file. - </para> - - <para> These options are not available unless MySQL has been built with SSL support. See <xref linkend="secure-using-ssl"/>. + (There are also <option>--master-ssl*</option> options that + can be used for setting up a secure connection from a slave + replication server to a master server; see + <xref linkend="replication-options"/>.) </para> <itemizedlist> @@ -22360,8 +22375,8 @@ to create an account on the server that includes a <literal>REQUIRE SSL</literal> clause in the <literal>GRANT</literal> statement. Then use this account - to connect to the server, with both a server and client - that have SSL support enabled. + to connect to the server, where both the server and the + client have SSL support enabled. </para> </listitem> @@ -22375,7 +22390,8 @@ </para> <para> - The path to a file with a list of trusted SSL CAs. + The path to a file that contains a list of trusted SSL + CAs. </para> </listitem> @@ -22472,12 +22488,57 @@ <title>Setting Up SSL Certificates for MySQL</title> + <remark role="todo"> + Also need a pointer here that says: After you have set up the + SSL files, you can use them as described in ... + </remark> + <para> - Here is an example of setting up SSL certificates for MySQL - using OpenSSL: + This section demonstrates how to set up SSL certificate and + key files for use by MySQL servers and clients. The first + example shows a simplified procedure such as you might use + from the command line. The second shows a script that contains + more detail. Both examples use the <command>openssl</command> + command that is part of OpenSSL. </para> + <para> + The following example shows a set of commands to create MySQL + server and client certificate and key files. You will need to + respond to several prompts by the <command>openssl</command> + commands. For testing, you can press Enter to all prompts. For + production use, you should provide non-empty responses. + </para> + <programlisting> +# Create clean environment +shell> <userinput>rm -rf newcerts</userinput> +shell> <userinput>mkdir newcerts && cd newcerts</userinput> + +# Create CA certificate +shell> <userinput>openssl genrsa 2048 > ca-key.pem</userinput> +shell> <userinput>openssl req -new -x509 -nodes -days 1000 \</userinput> + <userinput>-key ca-key.pem > ca-cert.pem</userinput> + +# Create server certificate +shell> <userinput>openssl req -newkey rsa:2048 -days 1000 \</userinput> + <userinput>-nodes -keyout server-key.pem > server-req.pem</userinput> +shell> <userinput>openssl x509 -req -in server-req.pem -days 1000 \</userinput> + <userinput>-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem</userinput> + +# Create client certificate +shell> <userinput>openssl req -newkey rsa:2048 -days 1000 \</userinput> + <userinput>-nodes -keyout client-key.pem > client-req.pem</userinput> +shell> <userinput>openssl x509 -req -in client-req.pem -days 1000 \</userinput> + <userinput>-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem</userinput> +</programlisting> + + <para> + Here is an example script that shows how to set up SSL + certificates for MySQL: + </para> + +<programlisting> DIR=`pwd`/openssl PRIV=$DIR/private
| Thread | ||
|---|---|---|
| • svn commit - mysqldoc@docsrva: r4281 - in trunk: . refman-4.1 refman-5.0 refman-5.1 | paul | 15 Dec |
© 1995-2008 MySQL AB, 2008-2009 Sun Microsystems, Inc.
Page generated in 0.663 sec. using MySQL 5.1.14-beta-log