List:MySQL++« Previous MessageNext Message »
From:Edward Diener Date:December 21 2008 3:10am
Subject:Re: SSL connection error
View as plain text  
Warren Young wrote:
> On Dec 19, 2008, at 8:05 PM, Edward Diener wrote:
> 
>> a well known cipher which I will call 'MYCIPHER' ( to protect the name 
>> of the actual cipher being used
> 
> I see maybe four TLS cipher suites in OpenSSL that I'd trust for this.  
> So, you're protecting the value of 2 or 3 bits of the overall key.  This 
> is what we call security through obscurity. :)  Your real security had 
> better be elsewhere.

It is a commercial application and I am not allowed to reveal even 
inadvertently on this list any particular details about it.

> 
>> mysqlpp::Option * opt(new 
>> mysqlpp::SslOption("ck.pem","cc.pem","ca.pem","c:/mycertificates","MYCIPHER")); 
>> // Line 4
>> conn -> set_option(opt); // Line 5
> 
> There's no need to store the pointer to the option object separately.  
> Once you create the object and pass it to set_option(), your code has no 
> more responsibility for it.  You wouldn't want to be tempted to delete 
> it later, as that would cause a double-delete.  Call set_option() like 
> so to make this clear:
> 
>     conn->set_option(new mysqlpp::SslOption(...));
> 

Point taken.

>> Does anyone see anything wrong with my use of SslOption, or in my code 
>> otherwise ?
> 
> No, but as you should have gathered from your lack of responses, few are 
> apparently using this feature of MySQL, and so even fewer are using it 
> with MySQL++.  You're not exactly pioneering here, but you are out on 
> the frontier, following poorly-marked trails.

Thanks ! At least you see nothing wrong with my use of SslOption and 
code in general.

I feel almost as if MySQL is not the database to use with SSL if no one 
is actually doing it or getting it to work. Yet the MySQL manual makes a 
large effort to explain in 5.5.7 that it does support SSL. So I am kind 
of baffled that no one seems to know how it actually should work and how 
one determines why it is not working if it does not. I do not mean that 
you should know how it works, since although you have done yeoman work 
on the C++ programming side, you can not be expected to know the 
internals of the MySQL server, but no one else seems to know anything 
about MySQL with SSL from my posts on other MySQL lists and on the 
online forum.

I would have hoped that a more specific error message might come back to 
the client from the server when an SSL connection fails which might 
pinpoint the cause of the failure and more easily allow one to fix the 
problem. I can only hope for other programmers using MySQL that this 
will happen on the server side in the future so that it will be easier 
to discover why a SSL connection is failing.

> 
>> Does anyone know of any way I can determine why the SSL connection is 
>> failing ?
> 
> Step back and try something else.  I'd try the instructions here:
> 
>     http://dev.mysql.com/doc/refman/5.1/en/secure-create-certs.html
> 
> ...including the steps at the end where they test the encryption using 
> the mysql(1) command line program.   I'd do this both on your Windows 
> box, and on a Linux box, just to eliminate the possibility that there 
> are other platform differences at work here.  I'd also try bouncing the 
> connection off of both Windows and Linux based MySQL servers.

The MySQL server is on Linux box but I am testing on a Windows client. I 
   can not test against a MySQL server with SSL support on a Windows box 
because, as you may have seen from some of my other posts, I  have never 
been able to discover how to build MySQL server with SSL from source on 
Windows. I know I can build MySQL server on Windows from the source but 
do not have the patience, with no documentation about it, to determine 
how to configure the build to support SSL.

So I can try both the Windows MySQL client I am on as well as possibly a 
Linux MySQL client against the MySQL server on the Linux box.

I agree with you that I should test using the mysql command line to see 
if I can get that working first with my certificates, and will do so.

> 
> If you don't have a Linux box, it's easy enough to set one up in a VM on 
> your development work station.  If you aren't using virtualization yet, 
> I'd recommend getting VMWare Server, which is now free.  Install a copy 
> of Ubuntu Server 8.04 LTS into it; one of the options during setup will 
> be to install MySQL, including setting the root password.  No other 
> Linux I've used makes setting up MySQL this easy.

I have a multi-boot computer so I can boot into a number of Linux 
installations and try out MySQL command line client from there. I am a 
bit leery of virtualization software.

First I will try it from the Windows client.

> 
> Having done all that, you'll have a matrix of things that work with 
> mysql(1) and things that don't.  You can't expect your MySQL++ program 
> to do more, since the scope of functionality is limited by the common 
> element, the MySQL C API library.
> 
> When/if you get this working, I'd appreciate a writeup sent to the list, 
> which I can turn into a chapter for the user manual.  Nothing fancy, 
> just the facts, man. :)

OK, officer Friday. <g>

Thanks again for your help !
Thread
SSL connection errorEdward Diener20 Dec
  • Re: SSL connection errorWarren Young20 Dec
    • Re: SSL connection errorEdward Diener21 Dec
      • Re: SSL connection errorWarren Young21 Dec
    • Re: SSL connection errorEdward Diener21 Dec