List:General Discussion« Previous MessageNext Message »
From:Tompkins Neil Date:October 8 2009 11:03am
Subject:Re: ssl questions
View as plain text  
Hi

I wondered how you are getting on with installing SSL for mysql 5.1 server.
We are looking to install it too.  Do you have any pointers/recommendations
?

Regards
Neil

On Tue, Sep 8, 2009 at 11:36 PM, qt4x11 <qt4x11@stripped> wrote:

> I'm trying to set up my mysql 5.1 server to work over ssl, I'm following
> the
> directions at
> http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html.
>  I've confirmed that my server supports ssl
>
> mysql> SHOW VARIABLES LIKE 'have_ssl';
> +---------------+-------+
> | Variable_name | Value |
> +---------------+-------+
> | have_ssl      | YES   |
> +---------------+-------+
>
> set up certs according to
> http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html
>
> bash-3.2# ls -l newcerts/
> total 20
> -rwxrwxrwx 1 root root 1761 Sep  8 14:01 ca-cert.pem
> -rwxrwxrwx 1 root root 1675 Sep  8 14:00 ca-key.pem
> -rwxrwxrwx 1 root root 1371 Sep  8 14:02 server-cert.pem
> -rwxrwxrwx 1 root root 1675 Sep  8 14:01 server-key.pem
> -rwxrwxrwx 1 root root 1094 Sep  8 14:01 server-req.pem
>
> and that mysql is started with the appropriate --ssl-xxx options (I set 777
> permissions on the newcerts directory to insure that permissions wouldn't
> be
> a problem during testing but was planning on tightening permissions once I
> got ssl working)
>
> bash-3.2# ps aux | grep mysql
> root     13326  0.0  0.2  63848  1332 pts/0    S    15:25   0:00 /bin/sh
> /usr/bin/mysqld_safe --datadir=/var/lib/mysql
> --pid-file=/var/lib/mysql/mysql.example.com.pid
> --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem
> --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem
> --ssl-key=/var/lib/mysql/newcerts/server-key.pem
> mysql    13399  0.1  3.4 138488 17676 pts/0    Sl   15:25   0:00
> /usr/sbin/mysqld --basedir=/ --datadir=/var/lib/mysql --user=mysql
> --ssl-ca=/var/lib/mysql/newcerts/ca-cert.pem
> --ssl-cert=/var/lib/mysql/newcerts/server-cert.pem
> --ssl-key=/var/lib/mysql/newcerts/server-key.pem
> --log-error=/var/lib/mysql/mysql.example.com.err
> --pid-file=/var/lib/mysql/mysql.example.com.pid
> root     13430  0.0  0.1  61164   768 pts/0    R+   15:25   0:00 grep mysql
> I'm also following documentation
> http://www.stunnel.org/examples/mysql.htmlhere to set up mysql with
> ssl support over stunnel.  My stunnel.conf looks
> like
>
> cert = /etc/stunnel/stunnel.pem
> pid = /tmp/stunnel.pid
> debug = 7
> output = stunnel.log
> [mysqls]
> accept  = 3307
> connect = 3306
>
> I've confirmed that my server is listening on 3307
>
> [user@stripped ~]$ netstat -anF  | grep 3306
> tcp        0      0 0.0.0.0:3306                0.0.0.0:*
> LISTEN
> [user@stripped ~]$ netstat -anF  | grep 3307
> tcp        0      0 0.0.0.0:3307                0.0.0.0:*
> LISTEN
>
> and that I can connect successfully over 3306
>
> mysql -u user -p -h mysql.example.com -P 3306
>
> but when I try to connect over port 3307,
>
> mysql -u user -p -h mysql.example.com -P 3307
>
> it fails to connect (my graphical client gives an error message that reads
> 'connection reset').
>
> I'm not sure what's wrong.  My mysql user was created without any specific
> SSL requirements, so I'm thinking I should be able to connect over either
> port without specifying any --ssl-xxx options on the client side.  I'd like
> the user to be able to connect either way.  I tried looking at the mysql
> error log but it didn't provide any useful information - is there a way to
> increase the log level to get at the source of the problem?  Any tips would
> be appreciated.
>
> Thanks.
>

Thread
ssl questionsqt4x119 Sep
  • Re: ssl questionsTompkins Neil8 Oct
    • Re: ssl questionsmuhammad subair11 Oct
      • Re: ssl questionsNeil Tompkins12 Oct