List:General Discussion« Previous MessageNext Message »
From:Clay Loveless Date:June 19 2002 1:03am
Subject:Re: MySQL 4.0.1 & SSL config - a shot in the dark
View as plain text  
A little more information on this problem ...

- Tonu's notes state that there are sample SSL keys & certs for testing
purposes in the "SSL" directory of the mysql tarball. There is no SSL
directory in the mysql-4.0.1-alpha.tar.gz file. Does anyone know which
tarball he may be referring to?


- In Tonu's notes, there is an example my.cnf entry of:

[mysqld]
ssl-ca=SSL/cacert.pem
ssl-cert=SSL/server-cert.pem
ssl-key=SSL/server-key.pem

Further in the notes, there's an example of a command-line switch for
mysqld:

mysqld --ssl-cert=SSL/server-cert.pem --ssl-ca=SSL/cacert.pem
--ssl-key=SSL/server-req.pem


In other words, one example shows "ssl-key" pointing to the "server-key.pem"
file, another example shows "ssl-key" pointing to "server-req.pem".


I'm looking through the files I created by doing these commands (extracted
from Tonu's notes):

From the /usr/local/ssl/apps directory
./CA.sh -newca
./CA.sh -newreq
./CA.sh -sign

As I mentioned previously, those commands leave me with the following
structure:
  newcert.pem
  newreq.pem
  demoCA/
      newcerts/
          01.pem
      private/
          cakey.pem


"newcert.pem" and "demoCA/newcerts/01.pem" are identical.

Tonu's notes indicate that passwords should be removed from the key files
like this:

openssl rsa -inform pem  < server-req.pem > server-key.pem

I'm *assuming* that server-req.pem is the same as "newreq.pem" ... But the
leap in file names isn't documented, and the two contradictory examples of
ssl-key usage (mentioned above) are confusing.


- Is there an estimate for when the documentation on MySQL's SSL
functionality will be completed? I would love to be able to set this up
without having to guess at how it's done. : ) I'm going to start
experimenting with the files I've got to see what works ... I'll report what
I find. Meanwhile, the general idea of "guessing at how to configure the
secure connection" is killing the notion of "security" for me to some
extent.


- Has anyone successfully set this up on their servers? If so, I would be
grateful for your tips!

Thanks,
Clay


> From: Clay Loveless <clay@stripped>
> Date: Tue, 18 Jun 2002 12:00:51 -0700
> To: MySQL <mysql@stripped>
> Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark
> 
> Hello,
> 
>> From the sound of Tonu's original response, he's pretty busy right now ...
> If anyone else has an idea based on experience with SSL & MySQL, or just
> with openssl in general, can offer an opinion on this, I would be grateful.
> 
> I've ordered a book on OpenSSL in an effort to learn more about it for this
> application as well as others, but it hasn't gotten here yet. I would
> appreciate any insight before I get around to just guessing!
> 
> Thanks,
> Clay
> 
> 
> 
>> From: Clay Loveless <clay@stripped>
>> Date: Sat, 15 Jun 2002 21:30:31 -0700
>> To: MySQL <mysql@stripped>
>> Subject: Re: MySQL 4.0.1 & SSL config - a shot in the dark
>> 
>> Tonu,
>> 
>> Thank you, thank you! The formal documentation effort is apparently still
>> underway based on your notes ... The link you included eliminates a lot of
>> guesswork! : )
>> 
>>> This part of MySQL is written by me and I am sure it worked :)
>> 
>> I'm sure it does -- what I meant was that the way I had it configured (my
>> best guess last night) wasn't working. No wonder!
>> 
>>>> 3. EDIT my.cnf ON CLIENT & SERVER
>>>> I added these values to my.cnf:
>>>> 
>>>>     [ssl]
>>>>     key = (LONG public key value - 394 chars - copied from server.crt)
>>>>     cert = ca.crt
>>>>     ca = (Organization Name answer from the Q & A session while doing
> the
>>>> first ca.key generation)
>>>>     capath = /usr/local/etc/mysqlssl
>>> 
>>> 
>>> nono, a lot of errors here. I am pretty sleepy and can do smaller mistakes
>>> right now but mistakes I see:
>>> 
>>> section [ssl] is wrong. MySQL server uses [mysqld] section, command line
>>> - client [client] but nobody read [ssl] section! Everything should be
>>> added under those common sections
>>> - values "key" and "ca" are wrong. Should be ssl-key, ssl-ca and so on...
>> 
>> 
>> Makes sense. I went through the procedures with CA.sh logged in your notes,
>> and was left with these files in my working directory:
>> 
>>   newcert.pem
>>   newreq.pem
>>   demoCA/
>>       newcerts/
>>           01.pem
>>       private/
>>           cakey.pem
>> 
>> Can you tell me which of those files translates into the files you used in
>> your configuration?
>> 
>> [mysqld]
>> ssl-ca=SSL/cacert.pem
>> ssl-cert=SSL/server-cert.pem
>> ssl-key=SSL/server-key.pem
>>  
>> [mysql]
>> ssl-ca=SSL/cacert.pem
>> ssl-cert=SSL/client-cert.pem
>> ssl-key=SSL/client-key.pem
>>    
>> [mysqldump]
>> ssl-ca=SSL/cacert.pem
>> ssl-cert=SSL/client-cert.pem
>> ssl-key=SSL/client-key.pem
>> 
>> 
>> Your notes don't include the steps where you renamed the output .pem files
>> to the filenames used in your example my.cnf entries.
>> 
>> 
>> 
>>>> Page 390 of the new Managing & Using MySQL (O'Reilly) book provided
> some
>>>> clues for doing this ... In reference to C functions, it says:
>>>> 
>>>>     'key' contains an SSL public key
>>>>     'cert' contains the filename of a certificate
>>>>     'ca' contians the name of the certificate authority
>>>>     'capath' contains the directory containing the certificate
>>> 
>>> Hmm this is not the first time when O'Reilly publishes bad and
>>> misguiding book about MySQL. I personally suggest to avoid them. Paul
>>> DuBois one is good example.
>> 
>> Could be that I was just making the wrong assumption. I've read a good chunk
>> of the rest of that O'Reilly book today, and it was all pretty good. The
>> section I quoted wasn't specifically documenting the SSL functionality, but
>> just listing a C function for reading SSL-related values from the .cnf file.
>> So, it was probably just the author's shorthand for that function, and I
>> leapt to the wrong conclusion.
>> 
>> 
>>> There is a file in MySQL source tree I wrote about using SSL connections
>>> with MySQL:
>>> 
>>> http://www.mysqldeveloper.com/4.x-bk_tree/SSL/NOTES
>>> 
>>> I hope they work for you. There are some pregenerated example
>>> key/certificate files included. You may try with then first to ensure that
>>> your command-line stuff works first.
>>> 
>> 
>> Thanks again for posting this link! This really helps a lot. I would be
>> happy to write all this up for use as a FAQ answer on mysqldeveloper.com, as
>> I'm sure this has (or will) come up often.
>> 
>> Regards,
>> Clay
>> 
>> 
>> ---------------------------------------------------------------------
>> Before posting, please check:
>>  http://www.mysql.com/manual.php   (the manual)
>>  http://lists.mysql.com/           (the list archive)
>> 
>> To request this thread, e-mail <mysql-thread112093@stripped>
>> To unsubscribe, e-mail
>> <mysql-unsubscribe-clay=killersoft.com@stripped>
>> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>> 
> 
> 
> ---------------------------------------------------------------------
> Before posting, please check:
>  http://www.mysql.com/manual.php   (the manual)
>  http://lists.mysql.com/           (the list archive)
> 
> To request this thread, e-mail <mysql-thread112392@stripped>
> To unsubscribe, e-mail <mysql-unsubscribe-clay=killersoft.com@stripped>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> 

Thread
MySQL 4.0.1 & SSL config - a shot in the darkClay Loveless15 Jun
  • Re: MySQL 4.0.1 & SSL config - a shot in the darkTonu Samuel16 Jun
    • Re: MySQL 4.0.1 & SSL config - a shot in the darkClay Loveless16 Jun
      • Re: MySQL 4.0.1 & SSL config - a shot in the darkClay Loveless18 Jun
        • Re: MySQL 4.0.1 & SSL config - a shot in the darkClay Loveless19 Jun
          • Re: MySQL 4.0.1 & SSL config - a shot in the darkClay Loveless19 Jun