List:General Discussion« Previous MessageNext Message »
From:Andy Shellam Date:March 29 2009 6:13pm
Subject:Re: Need a Brief Overview - SSL Connections
View as plain text  
Hi Seth,

I implemented SSL successfully just a couple of weeks ago on 5.1.30, and 
I too found some aspects confusing.  Here's my answers from my own 
experience so please forgive me if they're inaccurate.

1) On the server side, I believe ssl-ca, ssl-cert and ssl-key are all 
required to establish the server's identity.  On the client side, I 
believe a user can still login without encryption/SSL unless REQUIRE SSL 
is set on their account.  From what I can tell, a client can also login 
using SSL with just ssl-ca (the server's certification authority 
certificate.)  To verify that the client is who they say they are, then 
you set REQUIRE X509 on their account, and the client has to connect 
using ssl-ca, ssl-cert and ssl-key with a valid certificate and private key.

2) I also don't understand all concepts of SSL - I'm used to just 
providing a certificate request to a trusted partner (e.g. Verisign) and 
for them to send me back my certificate.  However I presume that the 
trusted CA certificates (e.g. Verisign, Thawte etc) are present on all 
browsers/e-mail clients and that's why we don't need to worry about it 
for these types of applications.  I believe that MySQL is allowing you 
to effectively issue your own certificates, and as such the client needs 
the CA certificate to verify the server's issuing authority (yourself.)  
The first step the MySQL manual takes you through is creating a private 
key and a certificate which will become your CA certificate (and is the 
file needed for ssl-ca/ssl-capath.)  This is a different private key and 
certificate to both the server's and the client's (unless your 
server/client is the same box, then they can share the same 
certificate/key but will be different from the CA cert/key.)

3) I followed the instructions in the manual to the letter and I had no 
issues whatsoever.  In my client (Navicat) I do get an "SSL connection 
error - invalid parameter" if one of the certificates are missing, but 
that may be coming from Navicat not the MySQL library.  It'll be 
interesting to see what happens in some situations, for example, what 
happens when the client certificate or the CA certificate expires?  
Interestingly I can also still connect using SSL when the CA certificate 
is invalid (ie. non-existent or a private key file instead of a 
certificate file.)

Hope this helps some!  I do agree it wasn't the clearest of things to 
get my head around.


Seth Willits wrote:
> Howdy,
> I've read through all of the MySQL docs on SSL and I just need a brief 
> overview of a few things to understand some things that aren't crystal 
> clear to me since I'm not very familiar with SSL.
> 1) Which SSL options are *required*?
> It seems that only ssl-key is _always_ required for the client to 
> connect to the server. If REQUIRE X509 is set, then ssl-cert is 
> required as well in order to authenticate who the actual client is, 
> right?
> 2) The options I don't understand are ssl-ca/ssl-capath. Why would the 
> client specify a certificate authority? Is this the authority (or 
> authorities) that's used to authenticate the server's certificate? Is 
> there a platform default for this value? I'm not used to having to 
> specify a list of authorities for other programs to validate 
> certificates (such as with email).
> 3) How does I know if the server/client authentication (validating the 
> certificate against given authorities) failed? Do I just get a vague 
> "SSL connection error" back from MySQL and that's it?
> I think that's mostly it.
> Thanks,
> -- 
> Seth Willits
Need a Brief Overview - SSL ConnectionsSeth Willits28 Mar
  • Re: Need a Brief Overview - SSL ConnectionsAndy Shellam29 Mar
  • SSL ConnectionsStefano Elmopi30 Mar
    • Re: SSL ConnectionsAndy Shellam30 Mar
      • Re: SSL ConnectionsStefano Elmopi31 Mar