• Developer Zone
• Lists Home
• FAQ

I wish that was the answer (ego being less important
than sanity).  I've put a tcpdump box in the middle
and tcp sessions are going out to the mysql server on
3307 (the creative port I chose for stunnel to use for
mysql) but the session hangs for about a minute after
I send the password.  Here are the details:

From the MySQL server box.
================================
FreeBSD master02.com 4.7-RELEASE FreeBSD 4.7-RELEASE
#0: Tue Nov 19 15:24:12 PST 2002    
twigles@stripped:/usr/obj/usr/src/sys/FW  i386

master02# more /etc/hosts
127.0.0.1               master02.com localhost
192.168.1.6             master02.com master02
192.168.1.6             master02.com.
master02# 

master02# cat /usr/local/etc/stunnel/stunnel.conf
# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002

# Comment it out on Win32
cert = /usr/local/etc/stunnel/mail.pem
chroot = /var/tmp/stunnel
# PID is created inside chroot jail
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel

# Authentication stuff
#verify = 2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
#CApath = /certs
# or simply use CAfile instead:
#CAfile = /usr/local/etc/stunnel/certs.pem

# Some debugging stuff
debug = 7
#output = stunnel.log

# Use it for client mode
#client = yes

foreground = yes

# Service-level configuration

[3307]
accept = 192.168.1.6:3307 
#connect = 127.0.0.1:3306
connect = master02.com:3306
#connect = 192.168.1.6:3306
#connect = localhost:3306

master02# more /etc/my.cnf
<snip comments>
# The following options will be passed to all MySQL
clients
[client]
#password       = 
port            = 3306
socket          = /tmp/mysql.sock

# Here follows entries for some specific programs

# The MySQL server
[mysqld]
port            = 3306
socket          = /tmp/mysql.sock
skip-locking
set-variable    = key_buffer=256M
set-variable    = max_allowed_packet=1M
set-variable    = table_cache=256
set-variable    = sort_buffer=1M
set-variable    = record_buffer=1M
set-variable    = myisam_sort_buffer_size=64M
set-variable    = thread_cache=8
# Try number of CPU's*2 for thread_concurrency
set-variable    = thread_concurrency=8
log-bin
server-id       = 1

# Uncomment the following if you are using BDB tables
#set-variable   = bdb_cache_size=64M
#set-variable   = bdb_max_lock=100000

# Uncomment the following if you are using InnoDB
tables
#innodb_data_home_dir = /var/db/mysql/
#innodb_data_file_path = ibdata1:10M:autoextend
#innodb_log_group_home_dir = /var/db/mysql/
#innodb_log_arch_dir = /var/db/mysql/
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
#set-variable = innodb_buffer_pool_size=256M
#set-variable = innodb_additional_mem_pool_size=20M
# Set .._log_file_size to 25 % of buffer pool size
#set-variable = innodb_log_file_size=64M
#set-variable = innodb_log_buffer_size=8M
#innodb_flush_log_at_trx_commit=1
#set-variable = innodb_lock_wait_timeout=50

# Point the following paths to different dedicated
disks
#tmpdir         = /tmp/         
#log-update     =
/path-to-dedicated-directory/hostname

[mysqldump]
quick
set-variable    = max_allowed_packet=16M

[mysql]
no-auto-rehash
# Remove the next comment character if you are not
familiar with SQL
#safe-updates

[isamchk]
set-variable    = key_buffer=128M
set-variable    = sort_buffer=128M
set-variable    = read_buffer=2M
set-variable    = write_buffer=2M

[myisamchk]
set-variable    = key_buffer=128M
set-variable    = sort_buffer=128M
set-variable    = read_buffer=2M
set-variable    = write_buffer=2M

[mysqlhotcopy]
interactive-timeout


This is the debug output for stunnel, which is where I
see the TCP connection hang waiting for a socket from
Mysql.

master02# sh stunnel.sh start
2002.11.25 13:45:02 LOG5[346:134594560]: stunnel 4.00
on i386-portbld-freebsd4.7 PTHREAD+LIBWRAP with
OpenSSL 0.9.6g 9 Aug 2002
2002.11.25 13:45:02 LOG7[346:134594560]: RAND_status
claims sufficient entropy for the PRNG
2002.11.25 13:45:02 LOG6[346:134594560]: PRNG seeded
successfully
2002.11.25 13:45:02 LOG7[346:134594560]: Certificate:
/usr/local/etc/stunnel/mail.pem
2002.11.25 13:45:02 LOG7[346:134594560]: Key file:
/usr/local/etc/stunnel/mail.pem
2002.11.25 13:45:02 LOG5[346:134594560]:
FD_SETSIZE=1024, file ulimit=1792 -> 500 clients
allowed
2002.11.25 13:45:02 LOG7[346:134594560]: FD 5 in
non-blocking mode
2002.11.25 13:45:02 LOG7[346:134594560]: SO_REUSEADDR
option set on accept socket
2002.11.25 13:45:02 LOG7[346:134594560]: 3307 bound to
192.168.1.6:3307
2002.11.25 13:45:02 LOG7[346:134594560]: Created pid
file /stunnel.pid
2002.11.25 13:45:21 LOG7[346:134594560]: 3307 accepted
FD=6 from 192.168.1.4:1058
2002.11.25 13:45:21 LOG7[346:134594560]: FD 6 in
non-blocking mode
2002.11.25 13:45:21 LOG7[346:134596608]: 3307 started
2002.11.25 13:45:21 LOG5[346:134596608]: 3307
connected from 192.168.1.4:1058
2002.11.25 13:45:21 LOG7[346:134596608]: FD 7 in
non-blocking mode
2002.11.25 13:45:21 LOG7[346:134596608]: 3307
connecting 127.0.0.1:3306
2002.11.25 13:45:21 LOG7[346:134596608]: Remote FD=7
initialized
2002.11.25 13:45:21 LOG7[346:134596608]: SSL state
(accept): before/accept initialization
2002.11.25 13:45:21 LOG7[346:134596608]:
waitforsocket: FD=6, DIR=read
2002.11.25 13:45:33 LOG7[346:134596608]:
waitforsocket: ok
2002.11.25 13:45:33 LOG3[346:134596608]: SSL_accept:
Peer suddenly disconnected
2002.11.25 13:45:33 LOG7[346:134596608]: 3307 finished
(0 left)
================================

From the MySQL client box
================================
same OS/version

sensor01# more /etc/hosts
127.0.0.1               localhost.com localhost
192.168.1.4             sensor01.com sensor01
192.168.1.4             sensor01.com.

sensor01# mysql -h 127.0.0.1 -u snortman -p
Enter password: 
ERROR 2013: Lost connection to MySQL server during
query

sensor01# cat /usr/local/etc/stunnel/stunnel.conf
# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002

# Comment it out on Win32
cert = /usr/local/etc/stunnel/mail.pem
chroot = /var/tmp/stunnel
# PID is created inside chroot jail
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel

# Authentication stuff
#verify = 2
# don't forget about c_rehash CApath
# it is located inside chroot jail:
#CApath = /certs
# or simply use CAfile instead:
#CAfile = /usr/local/etc/stunnel/certs.pem

# Some debugging stuff
debug = 7
#output = stunnel.log

# Use it for client mode
#client = yes

foreground = yes

# Service-level configuration

[3306]
accept = 127.0.0.1:3306
connect = 192.168.1.6:3307

Debug output from the client side of the same
connection as above.  This indicates that stunnel is
building a proper session.

sensor01# sh stunnel.sh start
2002.11.25 13:48:53 LOG5[344:134594560]: stunnel 4.00
on i386-portbld-freebsd4.7 PTHREAD+LIBWRAP with
OpenSSL 0.9.6g 9 Aug 2002
2002.11.25 13:48:53 LOG7[344:134594560]: RAND_status
claims sufficient entropy for the PRNG
2002.11.25 13:48:53 LOG6[344:134594560]: PRNG seeded
successfully
2002.11.25 13:48:53 LOG7[344:134594560]: Certificate:
/usr/local/etc/stunnel/mail.pem
2002.11.25 13:48:53 LOG7[344:134594560]: Key file:
/usr/local/etc/stunnel/mail.pem
2002.11.25 13:48:53 LOG5[344:134594560]:
FD_SETSIZE=1024, file ulimit=3636 -> 500 clients
allowed
2002.11.25 13:48:53 LOG7[344:134594560]: FD 5 in
non-blocking mode
2002.11.25 13:48:53 LOG7[344:134594560]: SO_REUSEADDR
option set on accept socket
2002.11.25 13:48:53 LOG7[344:134594560]: 3306 bound to
127.0.0.1:3306
2002.11.25 13:48:53 LOG7[344:134594560]: Created pid
file /stunnel.pid
2002.11.25 13:49:02 LOG7[344:134594560]: 3306 accepted
FD=6 from 127.0.0.1:1057
2002.11.25 13:49:02 LOG7[344:134594560]: FD 6 in
non-blocking mode
2002.11.25 13:49:02 LOG7[344:134596608]: 3306 started
2002.11.25 13:49:02 LOG5[344:134596608]: 3306
connected from 127.0.0.1:1057
2002.11.25 13:49:02 LOG7[344:134596608]: FD 7 in
non-blocking mode
2002.11.25 13:49:02 LOG7[344:134596608]: 3306
connecting 192.168.1.6:3307
2002.11.25 13:49:02 LOG7[344:134596608]: remote
connect #1: EINPROGRESS: retrying
2002.11.25 13:49:02 LOG7[344:134596608]:
waitforsocket: FD=7, DIR=write
2002.11.25 13:49:02 LOG7[344:134596608]:
waitforsocket: ok
2002.11.25 13:49:02 LOG7[344:134596608]: Remote FD=7
initialized
2002.11.25 13:49:02 LOG7[344:134596608]: SSL state
(accept): before/accept initialization
2002.11.25 13:49:02 LOG7[344:134596608]:
waitforsocket: FD=6, DIR=read
2002.11.25 13:49:13 LOG7[344:134596608]:
waitforsocket: ok
2002.11.25 13:49:13 LOG3[344:134596608]: SSL_accept:
Peer suddenly disconnected
2002.11.25 13:49:13 LOG7[344:134596608]: 3306 finished
(0 left)


================================

Everything I have read on mysql says it can be forced
to use a port, but I'm not connecting locally, it just
appears that way to the server; I can't send
arguments.  



--- Dan Nelson <dnelson@stripped> wrote:
> In the last episode (Nov 25), twig les said:
> > Hey all, I'm having a painful time trying to get
> stunnel and mysql to
> > play together.  My mysql works fine locally and
> remotely until I add
> > stunnel.  After chasing my tail for a week (and
> drinking a lot on the
> > weekend) I realized that Mysql is trying to open a
> socket on the
> > server machine instead of using the TCP port like
> stunnel needs it
> > to.  Is there a way to force Mysql to use the TCP
> port and not the
> > socket?
> 
> Try -h 127.0.0.1, or -h <hostname>.  Don't use -h
> localhost, because
> that means "use the socket".
> 
> -- 
> 	Dan Nelson
> 	dnelson@stripped


=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus http://mailplus.yahoo.com